We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Internet Explorer Maintenance GPO

bullfrog264
bullfrog264 asked
on
Medium Priority
809 Views
Last Modified: 2012-05-11
I am trying to edit the trusted sites listed in the Usr Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings\Trusted Sites GP.  When I open hte Security settings it brings up a dialog box asking if I would like to import settings that will only apply to computers that do not have ESC enabled.  I do want to do so so I click continue and I get the popup window for IE settings.  When I browse down to the trusted sites there are none liste but when I check the settings in GPMC they are all listed there.  What is going on?  Unfortunately my predecessor applied this GPO to the root of the domain so it affects basically every user in the company and I need to get this corrected asap.....any suggestions? I would think it would be listed to I could remove the unwanted trusted site and it would apply to all users during their regular GP update.
Comment
Watch Question

Most Valuable Expert 2011

Commented:
It will not show the entries you make with GPO.  It will also ignore anything the users may enter into the list on their own.  

So basically once you start doing it with GPO you have to do ALL of it from the GPO and none of what you do is going to be "visible" on the local machine if you go look at it.  The only place you can see what you did is by looking into the GPO itself.  Any settings done manually, locally, will be meaningless and useless.

Doing this particular thing with GPO is, in my opinion, just plain horrible and nearly worthless.  I stopped doing that one a long long time ago.

Author

Commented:
I would agree with you that it is horrible and would not have been my choice.  Unfortunately I inherited this mess and have to clean it up.  I did a little more digging and found that in order to make the policy apply more than once you must set another GPO setting.  I want to remove this section all together but I believe it will leave the settings as they are now.  It looks like I cannot use GP to remove the unwanted sites without using another policy to replace ALL of the sites.  Am I correct?  
Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011

Commented:
I rebuilt the Domains at two Banks that someone when "GPO Crazy".  There is a command line that you can use to create fresh "new" Default Policies (the Default Domain and the Default DC policies).  What I did was rename the policies they already had.  They had done everything in the two Default Policies and it was a wreck.  

After running the command line tool and created fresh "original" Default Policies I then unlinked their policies (I did not delete them) and gave it a few days to propagate and "settle down".  I then ran the GPMT and created Reports of their Policies (now unlinked) and ran Reports on the two fresh Default Polices. By  comparing the two sets of Reports I was able to gather what settings were non-default, yet important, and created new policies for those settings.

In the end I create a totally new domain and did a migration,...but the above steps certainly saved the the in the short term and made the system usable until I could get the migration done.

Here's the information for the command line tool. Note the second article explains that the tool does not force everything back to defaults,...mostly because restoring the Default Default Policy doesn't force back the defaults as I was explaining above,...but it is still pretty good, and certainly better than doing nothing.

Using Dcgpofix
http://technet.microsoft.com/en-us/library/cc772811(WS.10).aspx

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
http://support.microsoft.com/kb/833783

Most Valuable Expert 2011

Commented:
Actually you would want ot make "copies" of their existing policies,...don't rename them.  The name means nothing,...it is for human consumption,..the system identifies them by the GUID, so the command line toll will overwrite the original Default Policies even if they have been renamed first,...so make copies instead and let the tool overwrite the "active" ones when you run it.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.