IE security-related settings configured by GPO do work
Hello,
I am running a Active Directory domain with several Windows Server 2008 R2 domain controllers. I am trying to configure the "Include local drectory path when uploading files to a server' for the 'Internet' Zone and set it to 'enabled'. Default is 'disabled'.
The setting can be found in IE under Tools --> 'Security' Tab --> Internet --> Custom level under the 'Micellaneous' settings.
So I created a GPO and configured the setting under User Configuration --> Policies --> Windows Settings --> Internet Explorer Maintenance --> Security --> Security Zones and Content Ratings. The I clicked on 'Modify Settings' in the 'Security Zones and Privay' settings. This is when IE opens and then the changes you do to your local installation in IE will be transfered into the GPO.
But for some reason it does not seem to work for the "Include local drectory path when uploading files to a server'. I configured the GPO as described and set the setting to 'enabled'. I linked the GPO it to a test OU, disabed inheritance for the OU and moved a test machine into this OU. I change the settings in IE manually, run a gpupdate /force and when I log back in then the setting is being changed again to 'disabled'.
To make a long story short. Is it possible that this setting simply cannot be set through a GPO? Because when I look into the GPO settings then the settings does not show up. See screenshot. If that is the case why is the setting then being overwritten when i run a gpupdate /force?
GPO-Settings.jpg
I am running a Active Directory domain with several Windows Server 2008 R2 domain controllers. I am trying to configure the "Include local drectory path when uploading files to a server' for the 'Internet' Zone and set it to 'enabled'. Default is 'disabled'.
The setting can be found in IE under Tools --> 'Security' Tab --> Internet --> Custom level under the 'Micellaneous' settings.
So I created a GPO and configured the setting under User Configuration --> Policies --> Windows Settings --> Internet Explorer Maintenance --> Security --> Security Zones and Content Ratings. The I clicked on 'Modify Settings' in the 'Security Zones and Privay' settings. This is when IE opens and then the changes you do to your local installation in IE will be transfered into the GPO.
But for some reason it does not seem to work for the "Include local drectory path when uploading files to a server'. I configured the GPO as described and set the setting to 'enabled'. I linked the GPO it to a test OU, disabed inheritance for the OU and moved a test machine into this OU. I change the settings in IE manually, run a gpupdate /force and when I log back in then the setting is being changed again to 'disabled'.
To make a long story short. Is it possible that this setting simply cannot be set through a GPO? Because when I look into the GPO settings then the settings does not show up. See screenshot. If that is the case why is the setting then being overwritten when i run a gpupdate /force?
GPO-Settings.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You just need to look at GPO prededence to ensure another GPO that defines the same settings is not over ridding your IE settings. If you are using GPMC to manage Group Policy, go to the test OU where you applied the IE settings and go to the Group Policy Inheritence and check what number your IE settings are, you can move the GPO up as needed. If it's the number 1 GPO those settings will override any GPO below that with the same settings.
ASKER
Michael,
We are missunderstanding each other. I understand all of what you wrote above. But lets imagine we have two admins. One has the setting in his browser enabled and the other one doesn't. If now the admin without the setting logs into any of the DCs and imports his IE settings into IE then the setting will be disabled again as soon he closes GPMC.
I hope this makes sense. When you open the GPO and you go to User Configuration --> Policies --> Windows Settings --> Internet Explorer Maintenance --> Security --> Security Zones and Content Ratings and you clicked on 'Modify Settings' in the 'Security Zones and Privay' section then the local IE is being opened and the settings of your local IE are being imported into the OU.
We are missunderstanding each other. I understand all of what you wrote above. But lets imagine we have two admins. One has the setting in his browser enabled and the other one doesn't. If now the admin without the setting logs into any of the DCs and imports his IE settings into IE then the setting will be disabled again as soon he closes GPMC.
I hope this makes sense. When you open the GPO and you go to User Configuration --> Policies --> Windows Settings --> Internet Explorer Maintenance --> Security --> Security Zones and Content Ratings and you clicked on 'Modify Settings' in the 'Security Zones and Privay' section then the local IE is being opened and the settings of your local IE are being imported into the OU.
Are both of the users in the test ou? if not where is the other admin is AD? Do you have sub OU's in the test Ou with that admin account? If the user is not in the test OU or in a sub OU of the test OU there is no way for that user to apply the IE settings without making the settings via local group policy. By default GPO's refresh every 90 minutes, so lets say the user defined his own IE settings, when the user's machine refreshes his GPO's the local settings will be replaced by whatever is defined in your IE settings GPO. Hopefully that makes sense.
ASKER
I am stupid and you are a genius. That was absolutly the issue.
But this actually leads to another question. Since these settings are being imported from the local IE settings, and let imagine I want to enable this setting only for some users how do I ensure that the setting is not being overwritten when another change is being made to the GPO from another domain controller by another user which has this setting for example disabled?
Thank you
Mc2102