GPO settings for Local Intranet

cwg306
cwg306 used Ask the Experts™
on
Having a weird issue with GPO's on a thin client architecture running windows 2003 enterprise.  Apply a GPO for IE to use local intranet vice internet and gpupdate on the application servers.  The next day only some users are needing to re-authenticate.  I could not replicate this in the lab at all, no matter what options I selected for authentication.  The only odd thing is most of ther servers including the DC are on IE7 and the ap servers are running IE6.  Any one experience anything like this before?  or may know of possible causes?  Thanks in advance for any help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have a look at these links:

            http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21939641.html

Note Windows Server 2003 includes a new, optional component named Internet ... Add the sites to the Local intranet zone. To add a site to the Local intranet .... Set advanced settings in Internet Explorer by using Group Policy objects ...
                  http://support.microsoft.com/kb/303650

Author

Commented:
The issue is not how to set it up, but the odd behavior after the fact.  I added the websites to the local intranet sites with intranet authentication and as stated prior some of the users are not authenticating.  Thank you for the response.
Per the link I gave you, the behavior (below) can cause Internet Explorer to prompt you for credentials when you access the intranet Web sites that require authentication.  Do any of them apply to you?

In Microsoft Internet Explorer or in Windows Internet Explorer, you have added the FQDN (or *.domain.com) or the IP address (or the address range) to the Do not use proxy server for addresses beginning with box under the Exceptions section in the Proxy Settings dialog box.

Note To locate the Proxy Settings dialog box in Internet Explorer, click Tools, click Internet Options, click Connections, and then click Proxy Settings.
You have selected the Bypass proxy server for local addresses check box that is on the Local Area Network (LAN) Settings dialog box.

Note To locate the Local Area Network (LAN) Settings dialog box in Internet Explorer, click Tools, click Internet Options, click Connections, and then click Local Area Network (LAN) Settings.
You have selected the Include all sites that bypass the proxy server and Include all network paths (UNCs) check boxes on the Local intranet dialog box.

To locate the Local intranet dialog box in Internet Explorer, click Tools, click Internet Options, click Security, and then click Local intranet.
Try downloading the Best GPO Practices Analyzer applicable to your situation.
                      http://www.dabcc.com/article.aspx?id=5621

Author

Commented:
Ok, Thanks, I will test it out tomorrow as I'm out of the office today.  I will post ASAP tommorow.  

Author

Commented:
I add the server http://hostname to the local intranet sites in a GPO, edit security to "Automatic logon only in Intranet Zone".  This works fine in the lab, but operationaly some users are having to enter their credentials.  I don't have any of the settings from the link you sent, but the symptoms are the same.  Do you think changing the Logon to "Automatic logon with current user name and password" would fix this?  On a side not I cannot put this app you gave me the link to without a CR and explicit permission, so although I can run it in R&D, I don't have the same issue.  Thanks!

Author

Commented:
The GPO Analyzer is pretty awesome though, trying to get approval to install it.  Thanks!
Hi,
<<<I add the server http://hostname to the local intranet sites in a GPO, edit security to "Automatic logon only in Intranet Zone".  This works fine in the lab, but operationaly some users are having to enter their credentials>>

Check the user profile of a user with the problem and compare to profile of users for whom the GPO settings are working correctly.  Maybe it is a permissions issue.

<<<The GPO Analyzer is pretty awesome though, trying to get approval to install it.>>>
The product will run on a workstation as well as on the server, so you can't do too much damage  to your system!!

Author

Commented:
I know the analyzer is harmless, but any changes/installations have to be approved first.  I don't think it will be a problem it does however take time.  If I could troubleshoot more freely I'm sure I could find the issue here.  It's difficult because right now I am trying to help another admin, she said the profiles are the same, but I'm curious and would love to investigate.  As I said I cannot replicate the symptoms in the lab.  Perhaps they are old accounts having the issues?  It would be difficult to migrate the users data, exchange etc., to a new username.  I'm thinking about recommeding using the "Auto login w/ current username/passwd" option and just rebooting DC and AP servers for sanity.  If I can get that app installed I can run it and try to see what the issues are.
Even the other Admin says the profiles are the same, I would verify with my own eyes.  people overlook things.  hen, running he analyzer would be my next step, even if I had to wait awhile.

Author

Commented:
Can you recommend any particular setting diferances to look for which would could cause this type of issue?  Thanks
Do users that with additionsl authentication have a local profile or a roaming profile? Local profile is associated to a specific machine....is user signing on from the machine on which the local profile was created?

Author

Commented:
Although the matter remains unsolved I will grant credit for the useful GPO analyzer and ideas.  Thank you.

Author

Commented:
the solution was not resolved, but the information was useful.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial