Internet Explorer Maintenance GPO

Posted on 2011-04-21
Last Modified: 2012-05-11
I am trying to edit the trusted sites listed in the Usr Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings\Trusted Sites GP.  When I open hte Security settings it brings up a dialog box asking if I would like to import settings that will only apply to computers that do not have ESC enabled.  I do want to do so so I click continue and I get the popup window for IE settings.  When I browse down to the trusted sites there are none liste but when I check the settings in GPMC they are all listed there.  What is going on?  Unfortunately my predecessor applied this GPO to the root of the domain so it affects basically every user in the company and I need to get this corrected asap.....any suggestions? I would think it would be listed to I could remove the unwanted trusted site and it would apply to all users during their regular GP update.
Question by:bullfrog264
    LVL 29

    Expert Comment

    It will not show the entries you make with GPO.  It will also ignore anything the users may enter into the list on their own.  

    So basically once you start doing it with GPO you have to do ALL of it from the GPO and none of what you do is going to be "visible" on the local machine if you go look at it.  The only place you can see what you did is by looking into the GPO itself.  Any settings done manually, locally, will be meaningless and useless.

    Doing this particular thing with GPO is, in my opinion, just plain horrible and nearly worthless.  I stopped doing that one a long long time ago.

    LVL 1

    Author Comment

    I would agree with you that it is horrible and would not have been my choice.  Unfortunately I inherited this mess and have to clean it up.  I did a little more digging and found that in order to make the policy apply more than once you must set another GPO setting.  I want to remove this section all together but I believe it will leave the settings as they are now.  It looks like I cannot use GP to remove the unwanted sites without using another policy to replace ALL of the sites.  Am I correct?  
    LVL 29

    Accepted Solution

    I'm not sure.  Some things with GPO you have to edit the existing GPO (you don't need a new one) to reverse the changes before you remove the GPO altogether.  But other things will return to defaults if the GPO is simply removed.

    So if you look at the specific GPO settings you have and read the Descriptions it will indicate the Default Setting, you use the GPO to force the Default Setting back into place.  Leave the GPO there for a few days to take effect, then you can unlink the GPO (without deleting it) and see if you get the results you wanted.  If all is well at that point then you can delete the no-longer-used GPO if you wish.

    Also be sure to never modify the two Default GPOs (except for the Password Policy in the Default Domain Policy which is the only place that can be done).   Keeping these Default Policies "pure" gives you a "clean" place to return to.    You should create new distinct policies for different categories of settings. It makes it easier  to manage and keep track of.  Just go to an extreme,...too many individual GPOs is also bad,...moderation is the key word here,...don't go to extremes either direction here.
    LVL 29

    Expert Comment

    I rebuilt the Domains at two Banks that someone when "GPO Crazy".  There is a command line that you can use to create fresh "new" Default Policies (the Default Domain and the Default DC policies).  What I did was rename the policies they already had.  They had done everything in the two Default Policies and it was a wreck.  

    After running the command line tool and created fresh "original" Default Policies I then unlinked their policies (I did not delete them) and gave it a few days to propagate and "settle down".  I then ran the GPMT and created Reports of their Policies (now unlinked) and ran Reports on the two fresh Default Polices. By  comparing the two sets of Reports I was able to gather what settings were non-default, yet important, and created new policies for those settings.

    In the end I create a totally new domain and did a migration,...but the above steps certainly saved the the in the short term and made the system usable until I could get the migration done.

    Here's the information for the command line tool. Note the second article explains that the tool does not force everything back to defaults,...mostly because restoring the Default Default Policy doesn't force back the defaults as I was explaining above,...but it is still pretty good, and certainly better than doing nothing.

    Using Dcgpofix

    The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

    LVL 29

    Expert Comment

    Actually you would want ot make "copies" of their existing policies,...don't rename them.  The name means nothing, is for human consumption,..the system identifies them by the GUID, so the command line toll will overwrite the original Default Policies even if they have been renamed first, make copies instead and let the tool overwrite the "active" ones when you run it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel.…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now