Group Policy issue not matching up

Posted on 2013-12-06
Medium Priority
Last Modified: 2013-12-10
Currently have a domain environment running Windows 2008 R2 and Windows 7 workstations
I am noticing a policy mis-match in the group policy that's applied for Internet Explorer settings for users.

We specify certain options to run activeX however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable so there's something that might be overriding this option.

We want this option to stay in 'enable' state.

The gpresults from the workstation show only the 1 GPO applied

Here is a snip from the GPO from the server:
settings from server
And here is a snip from the workstation with the policy applied:
from win7 machine
We've re-joined to the domain, uninstalled and reinstalled IE, tried gpupdate /force, rebooted multiple times...

Does anyone have any ideas as to why this is happening?

We have laptops that are affected as users take them home, they try to launch the RDWeb RemoteApp and feel that this may be preventing them from accessing things remotely as there's a message in IE that displays the yellow bar at the bottom 'Add-on for this website failed to run'

Any input is much appreciated.
Question by:andrew_transparent
  • 4
  • 3
LVL 14

Accepted Solution

Ram Balachandran earned 2000 total points
ID: 39702713
Is there any other polices present in your Domain with conflicting with the same settings ?
Can you open GPMC, go to the OU where the computers/users are kept , select Inheritance tab and check if any another policies are present.
If those policies have similiar settings then you might need to change the group policy processing order.

second would be, verify if the same policy is getting applied - from RSOP right click user config / computer config and verify the list that this policy is applied

thrird - verify if any security filtering or WMI filtering is present in the GPO that prevent this policy from getting applied to user/computer

As per my understanding Local intranet is more leisure than Trusted site in IE8 onwards, yeah again it based on how to defined it.

Author Comment

ID: 39702743
thanks for all the possible areas to review
however the only other policy that has precedence and priority from the inheritance tab is the Default Domain Policy in which there are none defined relevant or similar to any internet settings...
I've verified the security filtering apply to 'authenticated users' by default and its not linked to any WMI filter

And confirmed RSOP that the defined settings are applied from the proper GPO with those settings to 'Run ActiveX...' are all set to enable

Although in rsop properties, i noticed that the computer and user config shows warning on each...
digging in, I see these specific:
computer config propertiesand this:
user config properties
Does this give any clues?

I will research these errors
LVL 17

Expert Comment

ID: 39702837
"....however there's one setting that is set to 'disable' on the workstation and on the group policy that's applied it is set to enable ..."
I wonder if you are trying to apply a user-setting to a computer-OU.
If that is what you want, you must use loopback-processing.
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703345
There can be some issues in GPO if you use IEM [ Internet Explorer Maintenance] for IE which is greater than IE8.

It is recommended to use ADM or ADMX template to configure IE related settings,branding issue which was mentioned can also be resolved using ADM / ADMX template.

For that - download ADM template [ Inetres.adm] based on the browser version you have a perform steps as mentioned in below link

How to use ADM files :http://support.microsoft.com/kb/816662

Following link also would help you : http://technet.microsoft.com/en-us/library/gg699415.aspx

Author Comment

ID: 39703395
Is there a way to adjust the current settings so that the end users can change this setting manually?
Yes, the browser is greater than IE8
All the options are greyed out on the workstations and I've removed the checkmark so its not enforced
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39703419
You can filter use group filtering with deny permission for the set of user who does not need to this policy for time being. Meanwhile you can set up a new policy using ADM template which is idle. Only ADM template can cover all IE related new settings - which might create trouble for legacy application - like compatible view, cross scripting etc

Author Comment

ID: 39703520
I was hoping i wouldn't have to come down to it as it was a policy that was created from a previous IT loaded the entire corporate policies into this one GPO.

Could i perhaps set the configured IEM options to 'not configured' to at least make it so the end workstations with the policies can adjust the custom security settings in IE?

Author Comment

ID: 39709251
Managed to figure out the policy issues as we've had another policy from a different OU applied to systems and the other policy applied to users which conflicted.
With rsop we checked on a couple users, actually showed the correct one being applied until we checked that 10th user/system to find out the mismatch of which policy was applied.

Thanks ram_kerala for providing clues to get to the bottom of this.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question