[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Group Policy issue not matching up

Posted on 2013-12-06
Medium Priority
Last Modified: 2013-12-10
Currently have a domain environment running Windows 2008 R2 and Windows 7 workstations
I am noticing a policy mis-match in the group policy that's applied for Internet Explorer settings for users.

We specify certain options to run activeX however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable so there's something that might be overriding this option.

We want this option to stay in 'enable' state.

The gpresults from the workstation show only the 1 GPO applied

Here is a snip from the GPO from the server:
settings from server
And here is a snip from the workstation with the policy applied:
from win7 machine
We've re-joined to the domain, uninstalled and reinstalled IE, tried gpupdate /force, rebooted multiple times...

Does anyone have any ideas as to why this is happening?

We have laptops that are affected as users take them home, they try to launch the RDWeb RemoteApp and feel that this may be preventing them from accessing things remotely as there's a message in IE that displays the yellow bar at the bottom 'Add-on for this website failed to run'

Any input is much appreciated.
Question by:andrew_transparent
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 14

Accepted Solution

Ram Balachandran earned 2000 total points
ID: 39702713
Is there any other polices present in your Domain with conflicting with the same settings ?
Can you open GPMC, go to the OU where the computers/users are kept , select Inheritance tab and check if any another policies are present.
If those policies have similiar settings then you might need to change the group policy processing order.

second would be, verify if the same policy is getting applied - from RSOP right click user config / computer config and verify the list that this policy is applied

thrird - verify if any security filtering or WMI filtering is present in the GPO that prevent this policy from getting applied to user/computer

As per my understanding Local intranet is more leisure than Trusted site in IE8 onwards, yeah again it based on how to defined it.

Author Comment

ID: 39702743
thanks for all the possible areas to review
however the only other policy that has precedence and priority from the inheritance tab is the Default Domain Policy in which there are none defined relevant or similar to any internet settings...
I've verified the security filtering apply to 'authenticated users' by default and its not linked to any WMI filter

And confirmed RSOP that the defined settings are applied from the proper GPO with those settings to 'Run ActiveX...' are all set to enable

Although in rsop properties, i noticed that the computer and user config shows warning on each...
digging in, I see these specific:
computer config propertiesand this:
user config properties
Does this give any clues?

I will research these errors
LVL 17

Expert Comment

ID: 39702837
"....however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable ..."
I wonder if you are trying to apply a user-setting to a computer-OU.
If that is what you want, you must use loopback-processing.
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703345
There can be some issues in GPO if you use IEM [ Internet Explorer Maintenance] for IE which is greater than IE8.

It is recommended to use ADM or ADMX template to configure IE related settings,branding issue which was mentioned can also be resolved using ADM / ADMX template.

For that - download ADM template [ Inetres.adm] based on the browser version you have a perform steps as mentioned in below link

How to use ADM files :http://support.microsoft.com/kb/816662

Following link also would help you : http://technet.microsoft.com/en-us/library/gg699415.aspx

Author Comment

ID: 39703395
Is there a way to adjust the current settings so that the end users can change this setting manually?
Yes, the browser is greater than IE8
All the options are greyed out on the workstations and I've removed the checkmark so its not enforced
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703419
You can filter use group filtering with deny permission for the set of user who does not need to this policy for time being. Meanwhile you can set up a new policy using ADM template which is idle. Only ADM template can cover all IE related new settings - which might create trouble for legacy application - like compatible view, cross scripting etc

Author Comment

ID: 39703520
I was hoping i wouldn't have to come down to it as it was a policy that was created from a previous IT loaded the entire corporate policies into this one GPO.

Could i perhaps set the configured IEM options to 'not configured' to at least make it so the end workstations with the policies can adjust the custom security settings in IE?

Author Comment

ID: 39709251
Managed to figure out the policy issues as we've had another policy from a different OU applied to systems and the other policy applied to users which conflicted.
With rsop we checked on a couple users, actually showed the correct one being applied until we checked that 10th user/system to find out the mismatch of which policy was applied.

Thanks ram_kerala for providing clues to get to the bottom of this.

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question