Solved

GPO 2008 R2 Question

Posted on 2014-04-29
2
367 Views
Last Modified: 2014-04-30
I have server 2008 R2 running as my domain controllers. All of my users are in one of 2 OU's.  With this Zero Day attack and more revelations of the complete uselessness of IE, I want to block all but a few people from using IE. I hastily have it set up more or less the opposite of what I want. I have an ie deny group and then I have a GPO set to prevent iexplore.exe from running.  I would rather it be set so that perhaps for all domain users users iexplore will not run, but if you are in the allow group it will run.

I imagine I would have 2 GPO's one for allow and one for deny deny would encompass my 2 OU's  and allow would encompass an allow group.

Please help me clear this up.

Thanks in Advance
0
Comment
Question by:dustaine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 40031052
Hello dustaine,

First of all let me tell you that there are many applications which behavior relies on Internet Explorer properties in order to work, such as Microsoft Outlook and many others

If you want to apply the DenyIE policy to everyone but "Users with IE" group. You just need to apply the policy and configure a security group permission in order to exlude this policy to the members of the group "Users with IE"

In order to accomplish it you can complete the following steps:

1. Open Group Policy Management and link the "DenyIE" policy at the desired level

2. Select the DenyIE policy from the navigation pane and click the "Delegation" tab in the Central Pane

3. Add the "Users with IE" group and check the following DENY boxes for this group:
- Apply Group Policy
- Read

With these steps the policy is going to be excluded for the members of the "Users with IE" group

Note: It is strongly recommended that you first test this policy with a pilot workstation before applying it globally.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40031257
I don't think that IE is still needed by other apps anymore like it used to.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question