Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2313
  • Last Modified:

Gpo for Site Privacy Actions

Hi,

We are using Windows Server 2003 domain controllers. Our client machines are running on XP. Both domain controllers and clinet machines are using IE Version 8.

I need set site privacy actions using GPO to allow some websites to the users.Can you please speicify the steps how to acheive this using Gpo.

Please find the attachment for sample request.

This very urgent. Please provide solutions as soon as possible. Accessing-Punchout-Catalogues.doc
0
gaddam01
Asked:
gaddam01
  • 14
  • 11
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, as it is only temporairly solution, so I wrote short and simple Administrative Template (ADM) for that. Just save this file, rename it to gpo.adm and import to GPO policy for user.

In GPO select user - administrative templates. Click on it right mouse button and choose "Add/Remove Templates". Point to the location where you saved that file. Go to menu "View -> Filtering" and uncheck both bottom marks.
Now, you should see new node "My IE Settings" with policy "Allow this website". Enable it, close GPO, link to OU with users (for test do it only for one user), re-logon to the workstation and check if it's there

 gpo.adm.txt

Regards,
Krzysztof
0
 
gaddam01Author Commented:
Hello,

Thanks for the reply. Actually I need to allow 25 websites like this. So please provide me an alternative solution for this?

Is there any In-built settings for this in GPO?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Nope, there is no built in settings in GPO for that. I would try to prepare an Administrative Template for you to do that but I need to test it before. PLease, give me some time

Krzysztof
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
gaddam01Author Commented:
Hello,

Please provide me the solution. I need to deploy it in the production. This is urgent.

Please reply as soon as possible.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
I checked this and there is no possibility to use GPO Administrative Templates for that, sorry. Each website requires its own policy, that's too much and big mess.

The only option is to use logon script for users which imports appropriate setting to the registry or install al least one 2008R2 server/DC in your environment, install Client Side Extension (CSE) on your Windos XP clients and use Group Policy Preferences (GPP) to create registry entries.

Example command to add registry in logon script of a user

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\officemate.com"
reg add "HKCU\"Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\officemate.com" /v "" /t REG_DWORD /d 1

repeat these 2 lines for each website, replacing "officemate.com" with next names

Krzysztof
0
 
gaddam01Author Commented:
But I think there is a setting called content ratings in Gpo. Shall we can configure this settings with that?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Do you speak about "Content advisor" ? If so, I don't think so, if this helps. This is used mostly to prevent user access to specified websites

Krzysztof
0
 
gaddam01Author Commented:
Please follow the settings given below and suggest me.


Userconfiguration\Windows Settings\Internet Explorer Maintenance\security\Security Zones and Content Ratings

Under this Security Zones and Privacy

If you click on Modify settings Internet Options will open. Under this If you click on Privacy and then click on Sites.

I think here we can add sites to allow.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
I've just tested it in my test env and it works fine. You're right, this can be used for that. Configure all websites you need under "Security Zones and Privacy" section.

Good job! You did solve your isse by yourself :)

Krzysztof
0
 
gaddam01Author Commented:
I have configured the Gpo by the same way that explained by me. But still I can not see any websites in the list.

How you can able to see the sites which added as above?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
This GPO should be linked into OU with users, to take effect (because it's user setting)

Did you configured it in "Privacy" tab under "Sites" ? If so, please check if GPO is applied to the user.

RUn in command-line gpupdate /force ore reboot PC

and to check if policy is applied, run

RSoP.msc or gpresult /z and verify settings

Krzysztof

0
 
gaddam01Author Commented:
The policy is showing in GPRESULT. But it is not applying as expected.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
That's strange. It works fine in my env :/
Can you post here a screen shot from settings (you can delete all sites), just only to show where do you set it up. Thanks in advance.

Krzysztof
0
 
gaddam01Author Commented:
Thanks for reply. Here I am adding the settings what I had configured in the Gpo. IE-Gpo.doc
0
 
gaddam01Author Commented:
Can you please post your settings from Group Policy console??
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi, no problem :)
That's the difference in our policies :]

 ratings.pdf

Krzysztof
0
 
gaddam01Author Commented:
I think I have used the same settings like you. Still I need to add anything more?

Please suggest me on this?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Nope, that's only this. You can check if entries were created in registry. Check for that this hive

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

if it still doesn't work for you, try with reg add in logon script

Krzysztof
0
 
gaddam01Author Commented:
Can you please provide me the Login script for two or three sites and for rest of them I will add it.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Sure, here you are, add these lines into user logon script

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\officemate.com"
reg add "HKCU\"Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\officemate.com" /v "" /t REG_DWORD /d 1

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\analytics-shop.com"
reg add "HKCU\"Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\analytics-shop.com" /v "" /t REG_DWORD /d 1

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bechtle.com"
reg add "HKCU\"Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bechtle.com" /v "" /t REG_DWORD /d 1

and so on for other sites

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
or even better, configure all of them on one station, then export from registry "History" branch from specified above location, save reg file on a publicly available share and use in logon script

reg import \\server\sharename\file.reg

it's much less to do

Krzysztof
0
 
gaddam01Author Commented:
I have tried the script given by you. I mean all the reg add lines copied and saved them into a .bat file. The keys are created in the Registry but the values are not generated. It is giving some errors.

Please find the attachment for the details. script-error.docx
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, looks like it's not possible to create unnamed value ""
So, add all of sites on one workstation and export registry key to reg file from
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

and into bat file reg import \\server\share\filereg.reg

remember that domain users need read&execute rights to read and run this file

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, it works! My mistake. This command should be run as one syntax

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\P3P\History\officemate.com" /ve /t REG_DWORD /d 1

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\P3P\History\analytics-shop.com" /ve /t REG_DWORD /d 1

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\P3P\History\bechtle.com" /ve /t REG_DWORD /d 1

and /ve switch allows for empty value creation
Please check that

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hi, does this work for you, now? Any progress or we need to find something different?
Thanks in advance for the answer

Krzysztof
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 14
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now