Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Enabling 2 GPO politics for users

Posted on 2011-09-26
2
Medium Priority
?
1,844 Views
Last Modified: 2012-05-12
Hi,

we want to enable two GPO politics for all users :
1. - Automatic prompting for file downloads
2. - "Use SSL 3.0" and "Use TLS 1.0"

When we enabled them in location - see below, options in internet explorer are grayed out for all users and they cannot change it (enable/disable/uncheck USE TLS 1.0)
1. Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zoneshow/Automatic prompting for file downloads
2. Windows Components/Internet Explorer/Internet Control Panel/Advanced Page/Turn off encryption Support

Question is : How can we achieve that the settings will be set according description and users will have still option to change it.

Thank you.
0
Comment
Question by:ZUNO
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 36600648
Policies are firmly set and cannot be changed by design.  You will have to use a login script to acheive your goal.  You can run a simple script to set this flag, but your problem will be that the IE setting will be reset the next time the user logs on.  

If the user changes it, after the script is run, then once the user logs on the next time, it will re-apply.

Do you want this to happen, or would you like to just set this one time only?

The two registry values you want for the second policy are:

1.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHTTP1_1

The SSL/TLS settings (USE SSL 2.0, USE SSL 3.0, USE TLS 1.0) are all combined into the following key...you want the second option:

2.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

1.   A value of "0" means that all 3 are unchecked
2.   A value of "160" means that USE SSL 3.0 and USE TLS 1.0 are checked and USE SSL 2.0 is not
3.   A value of "168" means that all 3 are checked.

Automatic prompting for file downloads is actually ZONE-specific.  Do you want to enable this for the "Internet" zone?

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones contains the zones:

0 = My Computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
0
 

Author Closing Comment

by:ZUNO
ID: 36709656
Thank you for solution.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question