Group Policy issue not matching up

Posted on 2013-12-06
Last Modified: 2013-12-10
Currently have a domain environment running Windows 2008 R2 and Windows 7 workstations
I am noticing a policy mis-match in the group policy that's applied for Internet Explorer settings for users.

We specify certain options to run activeX however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable so there's something that might be overriding this option.

We want this option to stay in 'enable' state.

The gpresults from the workstation show only the 1 GPO applied

Here is a snip from the GPO from the server:
settings from server
And here is a snip from the workstation with the policy applied:
from win7 machine
We've re-joined to the domain, uninstalled and reinstalled IE, tried gpupdate /force, rebooted multiple times...

Does anyone have any ideas as to why this is happening?

We have laptops that are affected as users take them home, they try to launch the RDWeb RemoteApp and feel that this may be preventing them from accessing things remotely as there's a message in IE that displays the yellow bar at the bottom 'Add-on for this website failed to run'

Any input is much appreciated.
Question by:andrew_transparent
  • 4
  • 3
LVL 14

Accepted Solution

Ram Balachandran earned 500 total points
ID: 39702713
Is there any other polices present in your Domain with conflicting with the same settings ?
Can you open GPMC, go to the OU where the computers/users are kept , select Inheritance tab and check if any another policies are present.
If those policies have similiar settings then you might need to change the group policy processing order.

second would be, verify if the same policy is getting applied - from RSOP right click user config / computer config and verify the list that this policy is applied

thrird - verify if any security filtering or WMI filtering is present in the GPO that prevent this policy from getting applied to user/computer

As per my understanding Local intranet is more leisure than Trusted site in IE8 onwards, yeah again it based on how to defined it.

Author Comment

ID: 39702743
thanks for all the possible areas to review
however the only other policy that has precedence and priority from the inheritance tab is the Default Domain Policy in which there are none defined relevant or similar to any internet settings...
I've verified the security filtering apply to 'authenticated users' by default and its not linked to any WMI filter

And confirmed RSOP that the defined settings are applied from the proper GPO with those settings to 'Run ActiveX...' are all set to enable

Although in rsop properties, i noticed that the computer and user config shows warning on each...
digging in, I see these specific:
computer config propertiesand this:
user config properties
Does this give any clues?

I will research these errors
LVL 17

Expert Comment

ID: 39702837
"....however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable ..."
I wonder if you are trying to apply a user-setting to a computer-OU.
If that is what you want, you must use loopback-processing.
ScreenConnect 6.0 Free Trial

Check out the updates in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI that improves session organization and overall user experience. See the enhancements for yourself!

LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703345
There can be some issues in GPO if you use IEM [ Internet Explorer Maintenance] for IE which is greater than IE8.

It is recommended to use ADM or ADMX template to configure IE related settings,branding issue which was mentioned can also be resolved using ADM / ADMX template.

For that - download ADM template [ Inetres.adm] based on the browser version you have a perform steps as mentioned in below link

How to use ADM files :

Following link also would help you :

Author Comment

ID: 39703395
Is there a way to adjust the current settings so that the end users can change this setting manually?
Yes, the browser is greater than IE8
All the options are greyed out on the workstations and I've removed the checkmark so its not enforced
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703419
You can filter use group filtering with deny permission for the set of user who does not need to this policy for time being. Meanwhile you can set up a new policy using ADM template which is idle. Only ADM template can cover all IE related new settings - which might create trouble for legacy application - like compatible view, cross scripting etc

Author Comment

ID: 39703520
I was hoping i wouldn't have to come down to it as it was a policy that was created from a previous IT loaded the entire corporate policies into this one GPO.

Could i perhaps set the configured IEM options to 'not configured' to at least make it so the end workstations with the policies can adjust the custom security settings in IE?

Author Comment

ID: 39709251
Managed to figure out the policy issues as we've had another policy from a different OU applied to systems and the other policy applied to users which conflicted.
With rsop we checked on a couple users, actually showed the correct one being applied until we checked that 10th user/system to find out the mismatch of which policy was applied.

Thanks ram_kerala for providing clues to get to the bottom of this.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question