Internet Explorer Maintenance GPO

I am trying to edit the trusted sites listed in the Usr Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings\Trusted Sites GP.  When I open hte Security settings it brings up a dialog box asking if I would like to import settings that will only apply to computers that do not have ESC enabled.  I do want to do so so I click continue and I get the popup window for IE settings.  When I browse down to the trusted sites there are none liste but when I check the settings in GPMC they are all listed there.  What is going on?  Unfortunately my predecessor applied this GPO to the root of the domain so it affects basically every user in the company and I need to get this corrected asap.....any suggestions? I would think it would be listed to I could remove the unwanted trusted site and it would apply to all users during their regular GP update.
Who is Participating?
pwindellConnect With a Mentor Commented:
I'm not sure.  Some things with GPO you have to edit the existing GPO (you don't need a new one) to reverse the changes before you remove the GPO altogether.  But other things will return to defaults if the GPO is simply removed.

So if you look at the specific GPO settings you have and read the Descriptions it will indicate the Default Setting, you use the GPO to force the Default Setting back into place.  Leave the GPO there for a few days to take effect, then you can unlink the GPO (without deleting it) and see if you get the results you wanted.  If all is well at that point then you can delete the no-longer-used GPO if you wish.

Also be sure to never modify the two Default GPOs (except for the Password Policy in the Default Domain Policy which is the only place that can be done).   Keeping these Default Policies "pure" gives you a "clean" place to return to.    You should create new distinct policies for different categories of settings. It makes it easier  to manage and keep track of.  Just go to an extreme,...too many individual GPOs is also bad,...moderation is the key word here,...don't go to extremes either direction here.
It will not show the entries you make with GPO.  It will also ignore anything the users may enter into the list on their own.  

So basically once you start doing it with GPO you have to do ALL of it from the GPO and none of what you do is going to be "visible" on the local machine if you go look at it.  The only place you can see what you did is by looking into the GPO itself.  Any settings done manually, locally, will be meaningless and useless.

Doing this particular thing with GPO is, in my opinion, just plain horrible and nearly worthless.  I stopped doing that one a long long time ago.

bullfrog264Author Commented:
I would agree with you that it is horrible and would not have been my choice.  Unfortunately I inherited this mess and have to clean it up.  I did a little more digging and found that in order to make the policy apply more than once you must set another GPO setting.  I want to remove this section all together but I believe it will leave the settings as they are now.  It looks like I cannot use GP to remove the unwanted sites without using another policy to replace ALL of the sites.  Am I correct?  
I rebuilt the Domains at two Banks that someone when "GPO Crazy".  There is a command line that you can use to create fresh "new" Default Policies (the Default Domain and the Default DC policies).  What I did was rename the policies they already had.  They had done everything in the two Default Policies and it was a wreck.  

After running the command line tool and created fresh "original" Default Policies I then unlinked their policies (I did not delete them) and gave it a few days to propagate and "settle down".  I then ran the GPMT and created Reports of their Policies (now unlinked) and ran Reports on the two fresh Default Polices. By  comparing the two sets of Reports I was able to gather what settings were non-default, yet important, and created new policies for those settings.

In the end I create a totally new domain and did a migration,...but the above steps certainly saved the the in the short term and made the system usable until I could get the migration done.

Here's the information for the command line tool. Note the second article explains that the tool does not force everything back to defaults,...mostly because restoring the Default Default Policy doesn't force back the defaults as I was explaining above,...but it is still pretty good, and certainly better than doing nothing.

Using Dcgpofix

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

Actually you would want ot make "copies" of their existing policies,...don't rename them.  The name means nothing, is for human consumption,..the system identifies them by the GUID, so the command line toll will overwrite the original Default Policies even if they have been renamed first, make copies instead and let the tool overwrite the "active" ones when you run it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.