VIBT
asked on
Adding sites to IE trusted sites in Group Policy not taking
I am attempting to load some sites into the trusted sites on my domain via Group Policy. I have a windows 2008 domain with 1 W2K8 R2 domain controller and 3 W2K8 domain controllers. We are operating at a Windows Server 2008 function domain level.
In GP Mgmt Editor, I drill down to User Config|Policies|Windows Settings|IE Maintenance|Security|Secur ity Zones and Content Ratings
Within Properties of Security Zones and Content Ratings, I have selected Import the current security zones and privacy settings and then click modify settings.
I add the 8 sites I want (a mix of both http:// & https:// with the "Require https://" unchecked).
I wait for the policy to propagate and login to my test machine with a user that is within scope of the enabled GPO and do not see my additions. (IE Enhanced Security is disabled).
When I check the settings of the GPO in the GPM console, drilling down to:
User Configuration (Enabled) |Policies | Windows Settings | Internet Explorer Maintenance | Security/Security Zones and Content Ratings | Security Zones and Privacy | Trusted sites (Security Level: Medium)
I see the following settings (posted in code block at end), and my changes do not appear in "Sites in this zone".
Any clues, hints, or suggestions??
Thanks!
In GP Mgmt Editor, I drill down to User Config|Policies|Windows Settings|IE Maintenance|Security|Secur
Within Properties of Security Zones and Content Ratings, I have selected Import the current security zones and privacy settings and then click modify settings.
I add the 8 sites I want (a mix of both http:// & https:// with the "Require https://" unchecked).
I wait for the policy to propagate and login to my test machine with a user that is within scope of the enabled GPO and do not see my additions. (IE Enhanced Security is disabled).
When I check the settings of the GPO in the GPM console, drilling down to:
User Configuration (Enabled) |Policies | Windows Settings | Internet Explorer Maintenance | Security/Security Zones and Content Ratings | Security Zones and Privacy | Trusted sites (Security Level: Medium)
I see the following settings (posted in code block at end), and my changes do not appear in "Sites in this zone".
Any clues, hints, or suggestions??
Thanks!
.NET Framework-reliant componentsRun components not signed with Authenticode Enable
Run components signed with Authenticode Enable
ActiveX controls and plug-insDownload signed ActiveX controls Prompt
Download unsigned ActiveX controls Disable
Initialize and script ActiveX controls not marked as safe Disable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls marked safe for scripting Enable
DownloadsFile download Enable
Font download Enable
Microsoft VMJava permissions High safety
MiscellaneousAccess data sources across domains Disable
Allow META REFRESH Enable
Display mixed content Prompt
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable
Drag and drop or copy and paste files Enable
Launching programs and files in an IFRAME Prompt
Navigate sub-frames across different domains Disable
Submit nonencrypted form data Enable
Userdata persistence Enable
ScriptingActive scripting Enable
Allow paste operations via script Prompt
Scripting of Java applets Enable
User AuthenticationLogon Automatic logon only in Intranet zone
SitesRequire server verification (https:) for all sites in this zone Disabled
Sites in this zone
http://*.microsoft.com/
https://*.microsoft.com/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The GPO is active at the domain root level.
The affected user is a member of the security group defined in scope.
Running the gpresults /H c:\report.html command shows the GPO was applied.
The detail at the bottom for trusted sites only has 1 site listed, not the eight I entered.
Looking in IE, of the 2 listed trusted sites, neither is the one listed in the GPO.
I think my issues lies in the creation of the GPO. When creating it, the 8 sites that are added do not show in the details. When I add and then get out of the policy editor and go to the settings of the policy, the sites are not listed. What could be causing that?
The affected user is a member of the security group defined in scope.
Running the gpresults /H c:\report.html command shows the GPO was applied.
The detail at the bottom for trusted sites only has 1 site listed, not the eight I entered.
Looking in IE, of the 2 listed trusted sites, neither is the one listed in the GPO.
I think my issues lies in the creation of the GPO. When creating it, the 8 sites that are added do not show in the details. When I add and then get out of the policy editor and go to the settings of the policy, the sites are not listed. What could be causing that?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>The affected user is a member of the security group defined in scope.
Note that GPO's do NOT affect security groups. It will only affect users or computers located within the same OU.
Note that GPO's do NOT affect security groups. It will only affect users or computers located within the same OU.
ASKER
By moving the sites to the Computer Configuration mentioned by ThinkPaper has them now showing up in the Trusted Sites list. However, I cannot add additional sites at the local machine.
Can you assist with the setting I need to find to allow local editing of the trusted sites?
Also, where is the setting in the Computer Configuration section to uncheck the "Require Server verification (https://) for all sites in this zone"?
Thanks!
Can you assist with the setting I need to find to allow local editing of the trusted sites?
Also, where is the setting in the Computer Configuration section to uncheck the "Require Server verification (https://) for all sites in this zone"?
Thanks!
viracor, long ago I was doing the same and it appeared to be buggy (you cannot tell on which site, if server or client, but it was buggy for sure). I am not sure if this GPO setting is not still broken and I have read about this issue in other forums, too.
So I encourage you to use the GPO to edit the registry directly (using group policy preferences). The regkey is HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings\ZoneMap\Domains
This way at least I was able to solve it.
So I encourage you to use the GPO to edit the registry directly (using group policy preferences). The regkey is HKCU\Software\Microsoft\Wi
This way at least I was able to solve it.
ASKER
Thanks! These did it!
Excuse me, what "did it"?
To keep users able to add sites, my solution would have to be used, right?
To keep users able to add sites, my solution would have to be used, right?
And on the client run gpresults /H c:\report.html
Then read the report to see if the client even see the GPO.
//WebFooL Untangle Evangelist