?
Solved

Group Policy issue not matching up

Posted on 2013-12-06
8
Medium Priority
?
377 Views
Last Modified: 2013-12-10
Currently have a domain environment running Windows 2008 R2 and Windows 7 workstations
I am noticing a policy mis-match in the group policy that's applied for Internet Explorer settings for users.

We specify certain options to run activeX however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable so there's something that might be overriding this option.

We want this option to stay in 'enable' state.

The gpresults from the workstation show only the 1 GPO applied

Here is a snip from the GPO from the server:
settings from server
And here is a snip from the workstation with the policy applied:
from win7 machine
We've re-joined to the domain, uninstalled and reinstalled IE, tried gpupdate /force, rebooted multiple times...

Does anyone have any ideas as to why this is happening?

We have laptops that are affected as users take them home, they try to launch the RDWeb RemoteApp and feel that this may be preventing them from accessing things remotely as there's a message in IE that displays the yellow bar at the bottom 'Add-on for this website failed to run'

Any input is much appreciated.
thanks,
0
Comment
Question by:andrew_transparent
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 14

Accepted Solution

by:
Ram Balachandran earned 2000 total points
ID: 39702713
Is there any other polices present in your Domain with conflicting with the same settings ?
Can you open GPMC, go to the OU where the computers/users are kept , select Inheritance tab and check if any another policies are present.
If those policies have similiar settings then you might need to change the group policy processing order.

second would be, verify if the same policy is getting applied - from RSOP right click user config / computer config and verify the list that this policy is applied

thrird - verify if any security filtering or WMI filtering is present in the GPO that prevent this policy from getting applied to user/computer

As per my understanding Local intranet is more leisure than Trusted site in IE8 onwards, yeah again it based on how to defined it.
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 39702743
thanks for all the possible areas to review
however the only other policy that has precedence and priority from the inheritance tab is the Default Domain Policy in which there are none defined relevant or similar to any internet settings...
I've verified the security filtering apply to 'authenticated users' by default and its not linked to any WMI filter

And confirmed RSOP that the defined settings are applied from the proper GPO with those settings to 'Run ActiveX...' are all set to enable

Although in rsop properties, i noticed that the computer and user config shows warning on each...
digging in, I see these specific:
computer config propertiesand this:
user config properties
Does this give any clues?

I will research these errors
0
 
LVL 17

Expert Comment

by:jburgaard
ID: 39702837
"....however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable ..."
I wonder if you are trying to apply a user-setting to a computer-OU.
If that is what you want, you must use loopback-processing.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703345
There can be some issues in GPO if you use IEM [ Internet Explorer Maintenance] for IE which is greater than IE8.

It is recommended to use ADM or ADMX template to configure IE related settings,branding issue which was mentioned can also be resolved using ADM / ADMX template.

For that - download ADM template [ Inetres.adm] based on the browser version you have a perform steps as mentioned in below link

How to use ADM files :http://support.microsoft.com/kb/816662

Following link also would help you : http://technet.microsoft.com/en-us/library/gg699415.aspx
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 39703395
Is there a way to adjust the current settings so that the end users can change this setting manually?
Yes, the browser is greater than IE8
All the options are greyed out on the workstations and I've removed the checkmark so its not enforced
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703419
You can filter use group filtering with deny permission for the set of user who does not need to this policy for time being. Meanwhile you can set up a new policy using ADM template which is idle. Only ADM template can cover all IE related new settings - which might create trouble for legacy application - like compatible view, cross scripting etc
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 39703520
I was hoping i wouldn't have to come down to it as it was a policy that was created from a previous IT loaded the entire corporate policies into this one GPO.

Could i perhaps set the configured IEM options to 'not configured' to at least make it so the end workstations with the policies can adjust the custom security settings in IE?
0
 
LVL 1

Author Comment

by:andrew_transparent
ID: 39709251
Managed to figure out the policy issues as we've had another policy from a different OU applied to systems and the other policy applied to users which conflicted.
With rsop we checked on a couple users, actually showed the correct one being applied until we checked that 10th user/system to find out the mismatch of which policy was applied.

Thanks ram_kerala for providing clues to get to the bottom of this.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question