Solved

Enabling 2 GPO politics for users

Posted on 2011-09-26
2
1,733 Views
Last Modified: 2012-05-12
Hi,

we want to enable two GPO politics for all users :
1. - Automatic prompting for file downloads
2. - "Use SSL 3.0" and "Use TLS 1.0"

When we enabled them in location - see below, options in internet explorer are grayed out for all users and they cannot change it (enable/disable/uncheck USE TLS 1.0)
1. Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zoneshow/Automatic prompting for file downloads
2. Windows Components/Internet Explorer/Internet Control Panel/Advanced Page/Turn off encryption Support

Question is : How can we achieve that the settings will be set according description and users will have still option to change it.

Thank you.
0
Comment
Question by:ZUNO
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 36600648
Policies are firmly set and cannot be changed by design.  You will have to use a login script to acheive your goal.  You can run a simple script to set this flag, but your problem will be that the IE setting will be reset the next time the user logs on.  

If the user changes it, after the script is run, then once the user logs on the next time, it will re-apply.

Do you want this to happen, or would you like to just set this one time only?

The two registry values you want for the second policy are:

1.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHTTP1_1

The SSL/TLS settings (USE SSL 2.0, USE SSL 3.0, USE TLS 1.0) are all combined into the following key...you want the second option:

2.   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

1.   A value of "0" means that all 3 are unchecked
2.   A value of "160" means that USE SSL 3.0 and USE TLS 1.0 are checked and USE SSL 2.0 is not
3.   A value of "168" means that all 3 are checked.

Automatic prompting for file downloads is actually ZONE-specific.  Do you want to enable this for the "Internet" zone?

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones contains the zones:

0 = My Computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
0
 

Author Closing Comment

by:ZUNO
ID: 36709656
Thank you for solution.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now