Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

GPO 2008 R2 Question

Posted on 2014-04-29
2
364 Views
Last Modified: 2014-04-30
I have server 2008 R2 running as my domain controllers. All of my users are in one of 2 OU's.  With this Zero Day attack and more revelations of the complete uselessness of IE, I want to block all but a few people from using IE. I hastily have it set up more or less the opposite of what I want. I have an ie deny group and then I have a GPO set to prevent iexplore.exe from running.  I would rather it be set so that perhaps for all domain users users iexplore will not run, but if you are in the allow group it will run.

I imagine I would have 2 GPO's one for allow and one for deny deny would encompass my 2 OU's  and allow would encompass an allow group.

Please help me clear this up.

Thanks in Advance
0
Comment
Question by:dustaine
2 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 40031052
Hello dustaine,

First of all let me tell you that there are many applications which behavior relies on Internet Explorer properties in order to work, such as Microsoft Outlook and many others

If you want to apply the DenyIE policy to everyone but "Users with IE" group. You just need to apply the policy and configure a security group permission in order to exlude this policy to the members of the group "Users with IE"

In order to accomplish it you can complete the following steps:

1. Open Group Policy Management and link the "DenyIE" policy at the desired level

2. Select the DenyIE policy from the navigation pane and click the "Delegation" tab in the Central Pane

3. Add the "Users with IE" group and check the following DENY boxes for this group:
- Apply Group Policy
- Read

With these steps the policy is going to be excluded for the members of the "Users with IE" group

Note: It is strongly recommended that you first test this policy with a pilot workstation before applying it globally.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40031257
I don't think that IE is still needed by other apps anymore like it used to.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question