IE Settings GPO

Posted on 2009-12-19
Last Modified: 2012-05-08
I'm curious as to which is the best route to take for IE settings in an enterprise environment.

We curently have IE settings in one GPO that contain both user and computer settings. The user settings contain the trusted sites ( exc via IE Maintenance.

Is it not best practice to use IE Maintenance for these types of IE settings or is the trusted sites exc better off being migrated to the computer side?  Any caveats or things I should know? Not looking forward to any surprises later down the road.

Thanks guys/girls :)
Question by:snyderkv
    LVL 24

    Accepted Solution

    There is nothing called best settings,it always depends on the requirement.
    If you want to apply the restricted setting to no of user its better to configure in user configuration.
    If you have Karox machine & you want policy to apply independent of who logs into the system,compute configration in GPO has to be configured.
    If you want similar policy to apply on system independent of user who is having high privilege account,loop back policy is the answer.

    Author Comment

    Can you explain the loopback policy option a little better? Currently with my computer based settings, not even Domain Admins can change settings. That can get kinda frusterating. Without GPO filtering would loopback processing fix this?
    LVL 31

    Assisted Solution

    by:Henrik Johansson
    Loopback processing mentioned is used to let user configuration settings applied when linking GPO to OU containing computer objects instead of user objects. It's primary used for restricting special computers like kiosk computers or terminal servers that is special compared to user's normal client computers.

    To get rid of the problem of domain admins affected by the GPO, either link the GPO containing user configuration settings to OU-structure that doesn't contain the admin users or configure security filteirng on the GPO to restrict what users are allowed/denied the permission to apply the policy.
     The default permissions on GPOs are to allow 'Authenticated Users' group including both computers and users to allow applying the policy.
    To make it easier to handle permissions on GPOs, separate user and computer configuration settings into separate GPOs.

    Author Comment

    Cool thanks, I want to note that we have loopback processing turned off for a reason. What effect does this have in the situation you described?
    LVL 31

    Expert Comment

    by:Henrik Johansson
    Loopback processing configuration doesn't matter when having computer configuration settings configured.
    Disabling loopback processing makes it necessary for GPOs with user configuration settings to be linked to OU-structure containing user objects.
    Enabling loopback processing will make it possibly to link GPO with user configuration settings to OU-structure containing computer objects. Using merge method, it loads user-GPOs linked to both user-OU and computer-OU and let computer-OU's GPO override if there's a conflict. If using replace method, it will ignore the GPO linked to user-OU.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now