Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Adding sites to IE trusted sites in Group Policy not taking

Posted on 2012-03-15
9
Medium Priority
?
3,706 Views
Last Modified: 2012-03-22
I am attempting to load some sites into the trusted sites on my domain via Group Policy.  I have a windows 2008 domain with 1 W2K8 R2 domain controller and 3 W2K8 domain controllers.  We are operating at a Windows Server 2008 function domain level.

In GP Mgmt Editor, I drill down to User Config|Policies|Windows Settings|IE Maintenance|Security|Security Zones and Content Ratings

Within Properties of Security Zones and Content Ratings, I have selected Import the current security zones and privacy settings and then click modify settings.

I add the 8 sites I want (a mix of both http:// & https:// with the "Require https://" unchecked).

I wait for the policy to propagate and login to my test machine with a user that is within scope of the enabled GPO and do not see my additions.  (IE Enhanced Security is disabled).

When I check the settings of the GPO in the GPM console, drilling down to:
User Configuration (Enabled) |Policies | Windows Settings | Internet Explorer Maintenance | Security/Security Zones and Content Ratings | Security Zones and Privacy | Trusted sites (Security Level: Medium)
I see the following settings (posted in code block at end), and my changes do not appear in "Sites in this zone".

Any clues, hints, or suggestions??

Thanks!

.NET Framework-reliant componentsRun components not signed with Authenticode Enable 
Run components signed with Authenticode Enable 
ActiveX controls and plug-insDownload signed ActiveX controls Prompt 
Download unsigned ActiveX controls Disable 
Initialize and script ActiveX controls not marked as safe Disable 
Run ActiveX controls and plug-ins Enable 
Script ActiveX controls marked safe for scripting Enable 
DownloadsFile download Enable 
Font download Enable 
Microsoft VMJava permissions High safety 
MiscellaneousAccess data sources across domains Disable 
Allow META REFRESH Enable 
Display mixed content Prompt 
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable 
Drag and drop or copy and paste files Enable 
Launching programs and files in an IFRAME Prompt 
Navigate sub-frames across different domains Disable 
Submit nonencrypted form data Enable 
Userdata persistence Enable 
ScriptingActive scripting Enable 
Allow paste operations via script Prompt 
Scripting of Java applets Enable 
User AuthenticationLogon Automatic logon only in Intranet zone 
SitesRequire server verification (https:) for all sites in this zone Disabled 
Sites in this zone 
http://*.microsoft.com/ 
https://*.microsoft.com/ 

Open in new window

0
Comment
Question by:VIBT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 3

Expert Comment

by:WebF00L
ID: 37725983
Make sure so the GPO is active for the right users/or Computers. (OU wise)

And on the client run gpresults /H c:\report.html
Then read the report to see if the client even see the GPO.

//WebFooL Untangle Evangelist
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 2000 total points
ID: 37726274
Are you trying to deploy these website settings to all users? Any reason you are doing under User Configuration vs Computer Configuration?

We normally configure IE settings using the IE administrative template:

Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Interent Control Panel/Security Page
- Sites to Zone Assignment list

I have not used your method, but it's worth testing this way out.
0
 

Author Comment

by:VIBT
ID: 37726282
The GPO is active at the domain root level.
The affected user is a member of the security group defined in scope.

Running the gpresults /H c:\report.html command shows the GPO was applied.

The detail at the bottom for trusted sites only has 1 site listed, not the eight I entered.

Looking in IE, of the 2 listed trusted sites, neither is the one listed in the GPO.

I think my issues lies in the creation of the GPO.  When creating it, the 8 sites that are added do not show in the details.  When I add and then get out of the policy editor and go to the settings of the policy, the sites are not listed.  What could be causing that?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 2000 total points
ID: 37726301
Here is some details on using Internet Explorer Maintenance. According to Microsoft, it looks like the maintenance only does a 1 time "default setting push" and does not enforce the settings. It does not respond to gpupdate /force.

If you are trying to ENFORCE these settings, you would need to use the IE adm template instead (via Computer Configuration/Administrative Templates/Windows Components/Internet Explorer)


http://support.microsoft.com/kb/825685
http://technet.microsoft.com/en-us/library/cc728150(v=ws.10).aspx
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 37726306
>>The affected user is a member of the security group defined in scope.


Note that GPO's do NOT affect security groups. It will only affect users or computers located within the same OU.
0
 

Author Comment

by:VIBT
ID: 37726346
By moving the sites to the Computer Configuration mentioned by ThinkPaper has them now showing up in the Trusted Sites list.  However, I cannot add additional sites at the local machine.

Can you assist with the setting I need to find to allow local editing of the trusted sites?

Also, where is the setting in the Computer Configuration section to uncheck the "Require Server verification (https://) for all sites in this zone"?

Thanks!
0
 
LVL 56

Expert Comment

by:McKnife
ID: 37727376
viracor, long ago I was doing the same and it appeared to be buggy (you cannot tell on which site, if server or client, but it was buggy for sure). I am not sure if this GPO setting is not still broken and I have read about this issue in other forums, too.

So I encourage you to use the GPO to edit the registry directly (using group policy preferences). The regkey is HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
This way at least I was able to solve it.
0
 

Author Closing Comment

by:VIBT
ID: 37750201
Thanks!  These did it!
0
 
LVL 56

Expert Comment

by:McKnife
ID: 37754462
Excuse me, what "did it"?

To keep users able to add sites, my solution would have to be used, right?
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question