Solved

GPO with trusted sites grayed out

Posted on 2013-06-05
10
1,304 Views
Last Modified: 2013-07-31
Hello All:

Details:  Our company has an local sharepoint site ( https://example.company.com ).  We currently use SSO/ActiveSync for logon to workstations that allow users to connect automatically to Outlook for email.  Now it's time to do the same with Sharepoint. I found the GPO setting to add our website to the trusted sites but now no user can add to the trusted sites.
All users using Windows 7 - 64 Bit

Problem:  Trusted sites grayed out & no users can add to the trusted sites since the GPO is currently set.

GPO settings:  Computer Configuration | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page
Site to Zone Assignment List >>> https://example.company.com > Value: 2

Is there a registry key(s) I can edit for users to still add other Trusted Sites ?
Is there any other GPO settings I can manage ?

Thanks for your help. Hope I didn't lose you
0
Comment
Question by:synertia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 22

Assisted Solution

by:Haresh Nikumbh
Haresh Nikumbh earned 250 total points
ID: 39222436
When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.


the only option is you have add those sites on the same policy

http://blogs.msdn.com/b/askie/archive/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices.aspx
0
 

Author Comment

by:synertia
ID: 39222456
the only option is you have add those sites on the same policy

I can not keep updating the policy for every Trusted Site with all the DoD sites that users go to. Maybe that is an decision for upper management. But for now, No reg can do this through GPO >?
0
 
LVL 22

Expert Comment

by:Haresh Nikumbh
ID: 39222509
Remove the computer gpo and apply it thru the "Internet Explorer Maintenance" policy under User configuration.

Same issue is reported earlier

please refer this link

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24135698.html

All Credit goes to dstewartjr  :)
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:synertia
ID: 39222608
Well yes that is an partial solution but NOT for IE10 users.  

IE10 Internet Maintenance disappears


i think I'm stuck ... unless I do it manually...
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39254570
I had to do this in an environment myself not to long ago.
I documented it on my own page - check out the last entry on this page:

http://www.vaderits.com/sharepoint/SitePages/SharePoint%20and%20PowerShell.aspx
0
 

Author Comment

by:synertia
ID: 39255668
vaderj:

that worked great but now the issue is SSO only works for IE 64-bit.  Most users in the office don't know the difference between IE 32 & 64.  Any work around ?
0
 
LVL 8

Expert Comment

by:vaderj
ID: 39256169
There is a setting in IE option under the advanced tab about passing user credentials. Do you need that in a registry setting also?
0
 

Author Comment

by:synertia
ID: 39256304
IE 32 bit sees the 'automatic logon with current user & password' that I pushed through the GPO.  but does not do the SSO.

IE 64 bit sees the 'automatic logon with current user & password' and pushes SSO to our sharepoint site.

Missing something ... ?
0
 
LVL 8

Accepted Solution

by:
vaderj earned 250 total points
ID: 39256323
Anything in your event logs when this happens? Especially the security section. Has this ever work with 32 bit?
All workstations are affected? Had SSO ever worked with these workstations? and one more - do you have any other applications other than SharePoint that have SSO working (PeopleSoft for example) ?
0
 

Author Comment

by:synertia
ID: 39256436
event error:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/18/2013 10:01:41 AM
Event ID:      4957
Task Category: MPSSVC Rule-Level Policy Change
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ALXWK63.gbhawk.weblynx.net
Description:
Windows Firewall did not apply the following rule:
Rule Information:
 ID: CoreNet-IPHTTPS-In
 Name: Core Networking - IPHTTPS (TCP-In)
Error Information:
 Reason: Local Port resolved to an empty set.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4957</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13571</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-18T14:01:41.260474200Z" />
    <EventRecordID>189608</EventRecordID>
    <Correlation />
    <Execution ProcessID="504" ThreadID="556" />
    <Channel>Security</Channel>
    <Computer>ALXWK63.gbhawk.weblynx.net</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="RuleId">CoreNet-IPHTTPS-In</Data>
    <Data Name="RuleName">Core Networking - IPHTTPS (TCP-In)</Data>
    <Data Name="RuleAttr">Local Port</Data>
  </EventData>
</Event>
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question