Solved

Enabling 2 GPO politics for users

Posted on 2011-09-26
2
1,768 Views
Last Modified: 2012-05-12
Hi,

we want to enable two GPO politics for all users :
1. - Automatic prompting for file downloads
2. - "Use SSL 3.0" and "Use TLS 1.0"

When we enabled them in location - see below, options in internet explorer are grayed out for all users and they cannot change it (enable/disable/uncheck USE TLS 1.0)
1. Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zoneshow/Automatic prompting for file downloads
2. Windows Components/Internet Explorer/Internet Control Panel/Advanced Page/Turn off encryption Support

Question is : How can we achieve that the settings will be set according description and users will have still option to change it.

Thank you.
0
Comment
Question by:ZUNO
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 36600648
Policies are firmly set and cannot be changed by design.  You will have to use a login script to acheive your goal.  You can run a simple script to set this flag, but your problem will be that the IE setting will be reset the next time the user logs on.  

If the user changes it, after the script is run, then once the user logs on the next time, it will re-apply.

Do you want this to happen, or would you like to just set this one time only?

The two registry values you want for the second policy are:

1.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHTTP1_1

The SSL/TLS settings (USE SSL 2.0, USE SSL 3.0, USE TLS 1.0) are all combined into the following key...you want the second option:

2.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

1.   A value of "0" means that all 3 are unchecked
2.   A value of "160" means that USE SSL 3.0 and USE TLS 1.0 are checked and USE SSL 2.0 is not
3.   A value of "168" means that all 3 are checked.

Automatic prompting for file downloads is actually ZONE-specific.  Do you want to enable this for the "Internet" zone?

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones contains the zones:

0 = My Computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
0
 

Author Closing Comment

by:ZUNO
ID: 36709656
Thank you for solution.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question