Solved

Adding sites to IE trusted sites in Group Policy not taking

Posted on 2012-03-15
9
3,506 Views
Last Modified: 2012-03-22
I am attempting to load some sites into the trusted sites on my domain via Group Policy.  I have a windows 2008 domain with 1 W2K8 R2 domain controller and 3 W2K8 domain controllers.  We are operating at a Windows Server 2008 function domain level.

In GP Mgmt Editor, I drill down to User Config|Policies|Windows Settings|IE Maintenance|Security|Security Zones and Content Ratings

Within Properties of Security Zones and Content Ratings, I have selected Import the current security zones and privacy settings and then click modify settings.

I add the 8 sites I want (a mix of both http:// & https:// with the "Require https://" unchecked).

I wait for the policy to propagate and login to my test machine with a user that is within scope of the enabled GPO and do not see my additions.  (IE Enhanced Security is disabled).

When I check the settings of the GPO in the GPM console, drilling down to:
User Configuration (Enabled) |Policies | Windows Settings | Internet Explorer Maintenance | Security/Security Zones and Content Ratings | Security Zones and Privacy | Trusted sites (Security Level: Medium)
I see the following settings (posted in code block at end), and my changes do not appear in "Sites in this zone".

Any clues, hints, or suggestions??

Thanks!

.NET Framework-reliant componentsRun components not signed with Authenticode Enable 
Run components signed with Authenticode Enable 
ActiveX controls and plug-insDownload signed ActiveX controls Prompt 
Download unsigned ActiveX controls Disable 
Initialize and script ActiveX controls not marked as safe Disable 
Run ActiveX controls and plug-ins Enable 
Script ActiveX controls marked safe for scripting Enable 
DownloadsFile download Enable 
Font download Enable 
Microsoft VMJava permissions High safety 
MiscellaneousAccess data sources across domains Disable 
Allow META REFRESH Enable 
Display mixed content Prompt 
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable 
Drag and drop or copy and paste files Enable 
Launching programs and files in an IFRAME Prompt 
Navigate sub-frames across different domains Disable 
Submit nonencrypted form data Enable 
Userdata persistence Enable 
ScriptingActive scripting Enable 
Allow paste operations via script Prompt 
Scripting of Java applets Enable 
User AuthenticationLogon Automatic logon only in Intranet zone 
SitesRequire server verification (https:) for all sites in this zone Disabled 
Sites in this zone 
http://*.microsoft.com/ 
https://*.microsoft.com/ 

Open in new window

0
Comment
Question by:VIBT
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 3

Expert Comment

by:WebF00L
ID: 37725983
Make sure so the GPO is active for the right users/or Computers. (OU wise)

And on the client run gpresults /H c:\report.html
Then read the report to see if the client even see the GPO.

//WebFooL Untangle Evangelist
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 37726274
Are you trying to deploy these website settings to all users? Any reason you are doing under User Configuration vs Computer Configuration?

We normally configure IE settings using the IE administrative template:

Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Interent Control Panel/Security Page
- Sites to Zone Assignment list

I have not used your method, but it's worth testing this way out.
0
 

Author Comment

by:VIBT
ID: 37726282
The GPO is active at the domain root level.
The affected user is a member of the security group defined in scope.

Running the gpresults /H c:\report.html command shows the GPO was applied.

The detail at the bottom for trusted sites only has 1 site listed, not the eight I entered.

Looking in IE, of the 2 listed trusted sites, neither is the one listed in the GPO.

I think my issues lies in the creation of the GPO.  When creating it, the 8 sites that are added do not show in the details.  When I add and then get out of the policy editor and go to the settings of the policy, the sites are not listed.  What could be causing that?
0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 500 total points
ID: 37726301
Here is some details on using Internet Explorer Maintenance. According to Microsoft, it looks like the maintenance only does a 1 time "default setting push" and does not enforce the settings. It does not respond to gpupdate /force.

If you are trying to ENFORCE these settings, you would need to use the IE adm template instead (via Computer Configuration/Administrative Templates/Windows Components/Internet Explorer)


http://support.microsoft.com/kb/825685
http://technet.microsoft.com/en-us/library/cc728150(v=ws.10).aspx
0
 
LVL 16

Expert Comment

by:ThinkPaper
ID: 37726306
>>The affected user is a member of the security group defined in scope.


Note that GPO's do NOT affect security groups. It will only affect users or computers located within the same OU.
0
 

Author Comment

by:VIBT
ID: 37726346
By moving the sites to the Computer Configuration mentioned by ThinkPaper has them now showing up in the Trusted Sites list.  However, I cannot add additional sites at the local machine.

Can you assist with the setting I need to find to allow local editing of the trusted sites?

Also, where is the setting in the Computer Configuration section to uncheck the "Require Server verification (https://) for all sites in this zone"?

Thanks!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 37727376
viracor, long ago I was doing the same and it appeared to be buggy (you cannot tell on which site, if server or client, but it was buggy for sure). I am not sure if this GPO setting is not still broken and I have read about this issue in other forums, too.

So I encourage you to use the GPO to edit the registry directly (using group policy preferences). The regkey is HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
This way at least I was able to solve it.
0
 

Author Closing Comment

by:VIBT
ID: 37750201
Thanks!  These did it!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 37754462
Excuse me, what "did it"?

To keep users able to add sites, my solution would have to be used, right?
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now