Solved

GPO for Trusted Sites, problem

Posted on 2013-02-01
30
1,304 Views
Last Modified: 2013-04-11
A few weeks ago I created a new GPO to add some parent company required domains to our users Trusted Sites.. now I'm discovering that users cannot add entries themselves.  Is there any way around this?  And if not.. if I disable this GPO will the zone assignments contained in the GPO disappear locally?
0
Comment
Question by:Ben Hart
  • 15
  • 7
  • 4
  • +1
30 Comments
 
LVL 11

Accepted Solution

by:
netballi earned 125 total points
ID: 38844409
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38845476
Thanks for the link!

Initial testing shows it works good, but the two problem people were out today.  Monday will be a true test.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38852359
Ok the new entries and the existing one are all added to the trusted sites list.. but users are still restricted from modifying the list or adding their own.  I need to get this resolved, what can I do?
0
 
LVL 11

Expert Comment

by:netballi
ID: 38852458
did you follow this link on the page

http://www.grouppolicy.biz/2012/07/how-to-configuring-ie-site-zone-mapping-using-group-policy-without-locking-out-the-user/

if yes then have the user run gpupdate on their systems.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38852480
Yup, that's exactly what I did.. my test machine has been rebooted multiple times and forced a gpupdate twice so far.  Mind you I modified teh GPO last Friday so there's been more than enough time to replicate between all three dc's.

Previously only two sites were entered.. when I change it from the Internet Control Panel/Admin template section to the GPP I added 4 more url's to the list.  All 6 url's appear in my list, it's just locked down.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38852818
This additional info might help.. gpresult shows both settings applied.  The security Page-Site to Zone Assignments AND the GPP extra registry settings.

I set the Site to Zone assignments as not configured... should that have removed the settings applied by it earlier?  Should I try Disabled?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38852977
Ok so I have confirmed.. my problem as of now is that I cannot remove the trusted site zone assignments.  I disabled the GPO, rebooted my test pc and the settings are still in my Internet Options.  

What do I have to do to get the Trusted Sites list removed?
0
 
LVL 61

Expert Comment

by:btan
ID: 38858200
0
 
LVL 23

Assisted Solution

by:Erik Bjers
Erik Bjers earned 125 total points
ID: 38858554
This is the normal behavior of trusted sites when using GPO and it only allows what you put in the policy.

Instead of using a GPO I used a script in my network to add registry keys for the trusted sites.  I will try to find the script I used and post it if I can.

eb
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38859053
I realize that.. now, ebjers but my problem (and question to you gurus) is how to reverse it.  I don't need a different method to accomplish adding trusted sites.. GPP has taken care of that.  

@breadtan, I'm not sure I understand that last post as how it relates to what Im trying to do now.  I've used GPP to apply those websites however I cannot gauge any success with the trust sites applied via zone assignment list not being removed.
0
 
LVL 61

Expert Comment

by:btan
ID: 38859076
@ebjers, there is script in my last post in that forum, wonder if that is waht you alluding to...
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 38859192
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 38859335
@breadtan I actually created my own script and it has been so long ago I can not remember how I did it...

@ubadmin I will admit I did not read the entire discussion, I only scanned it so I missed that you are trying to remove what was applied before.  From the way I understand it the policy for trusted sites is supposed to be a managed policy meaning that when you remove the policy it should remove the trusted sites, which apparently is not what your system is doing.  I am not sure how to remove these settings unless a script can be used to delete the registry key.

eb
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38859342
I keep seeing references of this happening to people but no post or blog ever states that after setting the Zone Assignment to "Not Configured" resulted in the previous policy settings still being applied to client machines.  There's nothing that I've found in the registry to manually delete to revert these changes either.

Here's another little bit to help confuse you.. that Zone Assignment page, you know it has the comment field right?  Originally there was text in that field, "adding asa and bes to trusted zone", I can delete that line of text, hit apply and close the window.  Reboot, gpupdate /force.. that comment text does not get removed either.  If you edit the gpo again that line is BACK in the comment field.  The policy stays Not Configured, or Disabled or whatever option I last chose...but that bloody comment field will not stay empty.  IDK if it;s related at all but I really fail to believe that what is happening here is the correct operations of a group policy object.
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 38859357
what if you just delete the entire policy?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38859360
A script to remove this policy would be fine.. especially a script that could be called by the login batch files.  However not knowing what exactly to remove is the hurdle.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38859486
Ok i deleted the entire GPO.. rebooted my test machine, logged in and the trusted site list was still there and still locked out.

Thinking maybe it was my test pc, I grabbed another machine with a fresh install of 7 on it.. copied and existing user account from one of our engineers, logged into the new pc with teh new test account.. same results.  Made that new test account a local admin and rebooted.. same thing.  Trusted site list still there and still locked down.

WTH?
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38860278
Just logged in as Domain Admin.. same bloody thing.  Trust Sites list still in there and not editable
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38860435
Ok so now, after deleting the original GPO, rebooting a few times I ran a new gpresult and with the trust site list still being pushed to the pc.. the gpresult page shows the Winning GPO as a {C40E1362-96C9-4314-.. you get the idea.  So maybe a better question at this point is.. what would cause Group Policy to process an object that doesn't exist?


ADDITION: I found this a bit ago: http://www.group-policy.com/ref/policy/1594/Site_to_Zone_Assignment_List

Based on this article I browsed to the key mentioned and there was no ZoneMapKey key.. however following the same path except under HKeyLocalMachine I did have the ZoneMapKey..  which I deleted but after either a reboot or a gpupdate /force the key is back.
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 38861607
OK so my next recommendation was going to be to find the GUID, but I was worried that since you had deleted the policy you would not be able to find it.

Now that gpresult shows you C40E1362-96C9-4314- as the culprit this is in fact the GUID and it is showing because it can not find a name for it (because you deleted the policy).  However it seems Windows has left the policy in place on your system but you can delete it (or better yet move it in case it screws something else up).

On a domain controller;
1) Navigate to C:\Windows\sysvol\domain\policies (I think this is the path, don't have my computer handy and it may be \sysvol\yourdomain name\policies

2) Find the folder that starts {C40E1362-96C9-4314-

3) Move it to somewhere else on your computer, this way if something unexpected happens you can put it back, otherwise delete it once you are sure everything is OK.

If you have more than one domain controller do this on the main one, windows got rid of the concept of primary and secondary DC but remove it from the first DC (or oldest) in your network

If you have multiple sites allow the change to replicate and check the sysvol folder again after a few hours to make sure it did not come back.  If it did come back go to every domain controller and delete it (only do this if it comes back).

Now you should be able to gpupdate /force and/or reboot and hopefully it will be gone.

eb
0
 
LVL 61

Expert Comment

by:btan
ID: 38862268
Not sure if you caught the posting, it shed
- technically they can delete the policy-defined sites, but the next time the policy is applied to them it will restore those settings
- I do know that once it has been applied, any refreshes of the policy do not overwrite user-defined entries.

also setting GPO setting to "Not Configured" does not "reverse" the setting, it means "no change will be made to the current setting".  Even disable using a new GPO may not delete the added in list
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx

We can try using another GPO to remove what is currently inside then used the Internet Explorer Maintenance Client side extension to set the Sites to Zone mappings again.
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/692e9cff-9b2a-4569-ae7b-2b6763831f76/

Another means which may be more "risky" is using the script in this blog, it adds in registry but then GPO need to be disabled else it reverts again. E.g. delete the registry that should "reverse" ...
http://blog.skybyte.com/blog/network-helpdesk/hot-to-adding-trusted-sites-to-internet-explorer-with-vb-and-reg-files

even msdn stated at time the site may re-appear. One means is to delete in registry key inside e.g. the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38862313
@ebjers
I did check the \\domain\sysvol\domain\policies for that guid but it was not in there

I did search the test pcs registry for the guid and found it mentored twice.. In two different keys under HCLM and HKCU/something../history.  Removed them both,

@breadtan
I'd prefer not to run any scripts.. But what about removing the settings with another Gpo?  Would that be as easy as setting the site zone assignment to not configured simply because it is a different Gpo?  Your second link mentioned removing with another Gpo but they gave no indication of how they did it.
0
 
LVL 61

Expert Comment

by:btan
ID: 38862727
didnt has chance to delve into it but this link can be useful ref

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d36382be-04b9-4bc0-9b10-f4fb8d383d08

The idea of reassigning is since a site/domain can only be in one zone at a time, if you create a GPO to assign the site/domain into the site you want, previous assignments will be overwritten.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 38863914
I wish I could get to that link.. forcing people to login to live.com to view that article is utter crap.  Besides that page dumps on me with a generic error "something went wrong and we can't sign you in right now, please try again later"

At any rate, if I assign those domains to another zone.. won't the results lock that other zone down too?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 38864077
What I understand is as below on the various security zones...

You cannot assign a Web site to the Internet zone. The Internet zone contains all Web sites that are not on your computer or in the local intranet zone, or that are not already assigned to another zone.

Intranet site is identified as an Internet site when you use an FQDN or an IP address.

The Restricted Sites zone contains Web sites that are not on your computer or on your local intranet, or that are not already assigned to another zone.

Trusted Sites Zone contains Web sites that you trust as safe (such as Web sites that are on your organization's intranet or that come from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or that you run from the Web site will not damage your computer or data. By default, there are no Web sites that are assigned to the Trusted Sites zone.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39019905
Sorry for the lack of activity here..I think this is a non issue now but I am checking tonight to verify.  After having to bail the office for a couple weeks to handle moving a new office into our "folds" after an acquisition I think things a calm enough to remit this situation.
0
 
LVL 61

Expert Comment

by:btan
ID: 39020109
Keep us posted then. Thanks for updates
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 39071612
Nothing ever worked out on this.. even called into Microsoft AD support.  Of course the language barrier between southern redneck and DEEP Indian didn't help one big.  I had to get nasty with them and request they ignore and close my ticket.  The issue seems to have gone away on it's own.. but seriously I could not afford to keep that test box online and be on the phone for hours while they walked me through gathering info since the remote support tool did not work.  So really idk what might have caused or made this issue stop happening and neither did Microsoft.

I will however split up all the point to everyone here who tried helping.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now