?
Solved

GPO 2008 R2 Question

Posted on 2014-04-29
2
Medium Priority
?
376 Views
Last Modified: 2014-04-30
I have server 2008 R2 running as my domain controllers. All of my users are in one of 2 OU's.  With this Zero Day attack and more revelations of the complete uselessness of IE, I want to block all but a few people from using IE. I hastily have it set up more or less the opposite of what I want. I have an ie deny group and then I have a GPO set to prevent iexplore.exe from running.  I would rather it be set so that perhaps for all domain users users iexplore will not run, but if you are in the allow group it will run.

I imagine I would have 2 GPO's one for allow and one for deny deny would encompass my 2 OU's  and allow would encompass an allow group.

Please help me clear this up.

Thanks in Advance
0
Comment
Question by:dustaine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 2000 total points
ID: 40031052
Hello dustaine,

First of all let me tell you that there are many applications which behavior relies on Internet Explorer properties in order to work, such as Microsoft Outlook and many others

If you want to apply the DenyIE policy to everyone but "Users with IE" group. You just need to apply the policy and configure a security group permission in order to exlude this policy to the members of the group "Users with IE"

In order to accomplish it you can complete the following steps:

1. Open Group Policy Management and link the "DenyIE" policy at the desired level

2. Select the DenyIE policy from the navigation pane and click the "Delegation" tab in the Central Pane

3. Add the "Users with IE" group and check the following DENY boxes for this group:
- Apply Group Policy
- Read

With these steps the policy is going to be excluded for the members of the "Users with IE" group

Note: It is strongly recommended that you first test this policy with a pilot workstation before applying it globally.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40031257
I don't think that IE is still needed by other apps anymore like it used to.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month12 days, 12 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question