[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

problems with trusted sites list in GPO not being applied

Posted on 2014-08-28
14
Medium Priority
?
123 Views
Last Modified: 2015-01-30
We are setting up a remote desktop server farm.  I've setup a GPO for people who log in remotely, and for the most part everything appears to be set up correctly.  One thing doesn't seem to work though.

In the GPO under Computer Configuration (enabled) \ Policies\ Administrative templates\ Windows components / Internet Explorer/ Internet Control Panel / Security Page I have a list of sites that I have put into group 2 (trusted sites), that the user will have access to.

The problem is that this list doesn't get applied when  a user logs in.  They get a message about IE running enhanced security but if I look at the trusted sites, my list is not included.  

When I run Group Policy Modeling, I see that the GPO is applied, but none of the Internet Explorer settings show up in the result.

Does anyone have any idea what I'm missing?
0
Comment
Question by:geekdad1
  • 7
  • 6
14 Comments
 
LVL 6

Expert Comment

by:Chad Franks
ID: 40291236
this was answered here before. . I have seen this issue.  Please look at this and follow the troubleshooting steps:

http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_26251720.html
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40291258
You said you set up this GPO for users that log in remotely. But then later you noted you changed the settings under "computer settings" and not under "user settings." Computer settings are applied to computers, and therefore the GPO must be linked to an OU with computer objects. If you only linked this GPO to an OU with remote users, or if you changed the security filter ti only apply to a group of users, the computer settings will simply be ignored as they technically do not apply to the identified users.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40291551
The GPO for the remote users shows two major sections.  Computer configuration and User Configuration.  The setting for IE only exists in the computer configuration section.  So do I have to create an OU and put all of the farm servers in it and then link the GPO to it?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40291555
That would be the easiest way, yes.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40291583
Ok, so I created the OU, and added the GPO to it, but I don't see where I add the farm servers to the OU.
If I look in AD there is already an OU called  "Computers", and the farm servers  are part of it.  There's even a security group setup in there which I could possibly use.  When I created the new OU in GP Manager, called "Farm Servers" it shows up in AD, however "Computers" doesn't show up in the Group Policy manager, so I want to make sure I do this right, but am unsure which way to go with this.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40291591
"computers" is not an OU. It is a default container, but OUs have different properties than containers. Even the icons are different in ADUC to easily indicate there is a difference. Computers can be dragged and dropped in ADUC.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40291667
OK.  We're getting closer.  I've moved the farm computers into the new OU.  I've re-run the query and fixed the security error that was preventing the GPO from being applied and now the report shows everything that it should.

I then went to both the farm servers and ran gpupdate /force and made sure that the group policy for those computers was in force.  However when I log on as a remote user the sites still don't show up.  I did notice that the users appear to have the ability to change the sites and maybe this is somehow related.

Is there a step I'm missing?
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40291707
Reboot the machine and verify the actual settings using the gpresult wizard. There are some settings that can only be applied during boot up so /force can prove ineffective. And the gpresult can show if a user setting is overriding the computer setting. Precedence comes into effect here.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40293013
Ok.  I've rebooted the servers and things are showing up differently now.  The users now cannot change the trusted sites list.  However the sites I've put into the trusted sites list don't show up either.  I'm not sure if that is the way it works or not.  
One of the sites I've added is *.health.gov.bc.ca  
When the user tries to open the web site it comes up and says some content has been blocked and I think it may have links to other sites, so that is maybe ok but maybe not.
Then they need to look at any one of a number of pdf files on the site.  When they click on a link we get an error saying "You are attempting to download a file from a site that is not part of your Trusted sites... and it lists http://www.health.gov.bc.ca as the site.

If you want to look at the page in question here is the link.  It's a public government website.
http://www.health.gov.bc.ca/msp/infoprac/physbilling/payschedule/index.html
0
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 1500 total points
ID: 40293023
As I said, use gpresult to actually verify settings using the machine *and user* being tested IE developer tools can also give you insight into what is going on.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40293410
I'm having some problems running gpresult, so I need a little clearer direction.  We're running a remote desktop farm with a connection broker.
When I log onto remote desktop and try to run gpresult
gpresult /USER test99 /V
All I ever get returned is "User does not have any RSoP data".
If I run this replacing test99 with administrator it works.
I've tried running this on the domain controller as well thinking that maybe it had something to do with access to AD, but I get the same result. I've tried including the domain name in front of the user but again no difference.  I'm not sure if this is relevant but all of our remote users are put into a separate OU in active directory and are not included in the builtin User one.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40293429
At this point I am going to suggest hiring a consultant. We are getting into basic troubleshooting here and providing that level of detail through EE just isn't practical.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40293886
Thanks for your help to this point Cliff.  I appreciate your time, freely given and will consider your advice but for now I'll carry on without you and for the sake of others after me, I will document my progress in EE, because the whole point of this is to be a useful resource to people.

All you need to do is run "gpresult /v" without any switches from the test user account that you are looking at.

Running "GPResult /v" will get you only the user scope info unless you open the command window in run as administrator mode.  From then on you have to use "gpresult /user useraccount /v" which gets you all of the information for both the user scope and the computer scope.
0
 
LVL 1

Author Comment

by:geekdad1
ID: 40340492
Two things outstanding.
1) I still can't understand why when I click on a pdf link on a trusted site page pointing to a link on that site, I get a popup saying you are trying to download a file from a site that is not part of your trusted sites...

2) When I add a site (*.domain.com) to the GPO as a trusted site, http:// for that site works, but https:// for that site doesn't.  So I can't seem to add https sites to the GPO  Putting https://*.domain.com doesn't seem to work either.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question