Group Policy issue not matching up

Posted on 2013-12-06
Last Modified: 2013-12-10
Currently have a domain environment running Windows 2008 R2 and Windows 7 workstations
I am noticing a policy mis-match in the group policy that's applied for Internet Explorer settings for users.

We specify certain options to run activeX however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable so there's something that might be overriding this option.

We want this option to stay in 'enable' state.

The gpresults from the workstation show only the 1 GPO applied

Here is a snip from the GPO from the server:
settings from server
And here is a snip from the workstation with the policy applied:
from win7 machine
We've re-joined to the domain, uninstalled and reinstalled IE, tried gpupdate /force, rebooted multiple times...

Does anyone have any ideas as to why this is happening?

We have laptops that are affected as users take them home, they try to launch the RDWeb RemoteApp and feel that this may be preventing them from accessing things remotely as there's a message in IE that displays the yellow bar at the bottom 'Add-on for this website failed to run'

Any input is much appreciated.
Question by:andrew_transparent
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 14

Accepted Solution

Ram Balachandran earned 500 total points
ID: 39702713
Is there any other polices present in your Domain with conflicting with the same settings ?
Can you open GPMC, go to the OU where the computers/users are kept , select Inheritance tab and check if any another policies are present.
If those policies have similiar settings then you might need to change the group policy processing order.

second would be, verify if the same policy is getting applied - from RSOP right click user config / computer config and verify the list that this policy is applied

thrird - verify if any security filtering or WMI filtering is present in the GPO that prevent this policy from getting applied to user/computer

As per my understanding Local intranet is more leisure than Trusted site in IE8 onwards, yeah again it based on how to defined it.

Author Comment

ID: 39702743
thanks for all the possible areas to review
however the only other policy that has precedence and priority from the inheritance tab is the Default Domain Policy in which there are none defined relevant or similar to any internet settings...
I've verified the security filtering apply to 'authenticated users' by default and its not linked to any WMI filter

And confirmed RSOP that the defined settings are applied from the proper GPO with those settings to 'Run ActiveX...' are all set to enable

Although in rsop properties, i noticed that the computer and user config shows warning on each...
digging in, I see these specific:
computer config propertiesand this:
user config properties
Does this give any clues?

I will research these errors
LVL 17

Expert Comment

ID: 39702837
"....however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable ..."
I wonder if you are trying to apply a user-setting to a computer-OU.
If that is what you want, you must use loopback-processing.
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703345
There can be some issues in GPO if you use IEM [ Internet Explorer Maintenance] for IE which is greater than IE8.

It is recommended to use ADM or ADMX template to configure IE related settings,branding issue which was mentioned can also be resolved using ADM / ADMX template.

For that - download ADM template [ Inetres.adm] based on the browser version you have a perform steps as mentioned in below link

How to use ADM files :

Following link also would help you :

Author Comment

ID: 39703395
Is there a way to adjust the current settings so that the end users can change this setting manually?
Yes, the browser is greater than IE8
All the options are greyed out on the workstations and I've removed the checkmark so its not enforced
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703419
You can filter use group filtering with deny permission for the set of user who does not need to this policy for time being. Meanwhile you can set up a new policy using ADM template which is idle. Only ADM template can cover all IE related new settings - which might create trouble for legacy application - like compatible view, cross scripting etc

Author Comment

ID: 39703520
I was hoping i wouldn't have to come down to it as it was a policy that was created from a previous IT loaded the entire corporate policies into this one GPO.

Could i perhaps set the configured IEM options to 'not configured' to at least make it so the end workstations with the policies can adjust the custom security settings in IE?

Author Comment

ID: 39709251
Managed to figure out the policy issues as we've had another policy from a different OU applied to systems and the other policy applied to users which conflicted.
With rsop we checked on a couple users, actually showed the correct one being applied until we checked that 10th user/system to find out the mismatch of which policy was applied.

Thanks ram_kerala for providing clues to get to the bottom of this.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question