IE security-related settings configured by GPO do work

Posted on 2011-04-19
Medium Priority
Last Modified: 2012-05-11

I am running a Active Directory domain with several Windows Server 2008 R2 domain controllers. I am trying to configure the "Include local drectory path when uploading files to a server' for the 'Internet' Zone and set it to 'enabled'. Default is 'disabled'.
 The setting can be found  in IE under Tools --> 'Security' Tab --> Internet --> Custom level under the 'Micellaneous' settings.

So I created a GPO and configured the setting under User Configuration --> Policies --> Windows Settings --> Internet Explorer Maintenance  --> Security --> Security Zones and Content Ratings. The I clicked on 'Modify Settings' in the 'Security Zones and Privay' settings. This is when IE opens and then the changes you do to your local installation in IE will be transfered into the GPO.

But for some reason it does not seem to work for the "Include local drectory path when uploading files to a server'. I configured the GPO as described and set the setting to 'enabled'. I linked the GPO it to a test OU, disabed inheritance for the OU and moved a test machine into this OU. I change the settings in IE manually, run a gpupdate /force and when I log back in then the setting is being changed again to 'disabled'.

To make a long story short. Is it possible that this setting simply cannot be set through a GPO? Because when I look into the GPO settings then the settings does not show up. See screenshot. If that is the case why is the setting then being overwritten when i run a gpupdate /force?
Question by:Mc2102
  • 3
  • 2

Accepted Solution

MichaelDahlke earned 2000 total points
ID: 35428109
These look like user confiuration settings, place the user in the test ou and do a gpupdate /force. This dhould correct the issue.

Author Comment

ID: 35428187

I am stupid and you are a genius. That was absolutly the issue.

But this actually leads to another question. Since these settings are being imported from the local IE settings, and let imagine I want to enable this setting only for some users how do I ensure that the setting is not being overwritten when another change is being made to the GPO from another domain controller by another user which has this setting for example disabled?

Thank you

Expert Comment

ID: 35428506
You just need to look at GPO prededence to ensure another GPO that defines the same settings is not over ridding your IE settings. If you are using GPMC to manage Group Policy, go to the test OU where you applied the IE settings and go to the Group Policy Inheritence and check what number your IE settings are, you can move the GPO up as needed. If it's the number 1 GPO those settings will override any GPO below that with the same settings.

Author Comment

ID: 35428546

We are missunderstanding each other. I understand all of what you wrote above. But lets imagine we have two admins. One has the setting in his browser enabled and the other one doesn't. If now the admin without the setting logs into any of the DCs and imports his IE settings into IE then the setting will be disabled again as soon he closes GPMC.

I hope this makes sense. When you open the GPO and you go to User Configuration --> Policies --> Windows Settings --> Internet Explorer Maintenance  --> Security --> Security Zones and Content Ratings and you clicked on 'Modify Settings' in the 'Security Zones and Privay' section then the local IE is being opened and the settings of your local IE are being imported into the OU.

Expert Comment

ID: 35428612
Are both of the users in the test ou? if not where is the other admin is AD? Do you have sub OU's in the test Ou with that admin account? If the user is not in the test OU or in a sub OU of the test OU there is no way for that user to apply the IE settings without making the settings via local group policy. By default GPO's refresh every 90 minutes, so lets say the user defined his own IE settings, when the user's machine refreshes his GPO's the local settings will be replaced by whatever is defined in your IE settings GPO. Hopefully that makes sense.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question