problems with trusted sites list in GPO not being applied

We are setting up a remote desktop server farm.  I've setup a GPO for people who log in remotely, and for the most part everything appears to be set up correctly.  One thing doesn't seem to work though.

In the GPO under Computer Configuration (enabled) \ Policies\ Administrative templates\ Windows components / Internet Explorer/ Internet Control Panel / Security Page I have a list of sites that I have put into group 2 (trusted sites), that the user will have access to.

The problem is that this list doesn't get applied when  a user logs in.  They get a message about IE running enhanced security but if I look at the trusted sites, my list is not included.  

When I run Group Policy Modeling, I see that the GPO is applied, but none of the Internet Explorer settings show up in the result.

Does anyone have any idea what I'm missing?
LVL 1
Doug PoulinCTOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chad FranksSenior System EngineerCommented:
this was answered here before. . I have seen this issue.  Please look at this and follow the troubleshooting steps:

http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_26251720.html
0
Cliff GaliherCommented:
You said you set up this GPO for users that log in remotely. But then later you noted you changed the settings under "computer settings" and not under "user settings." Computer settings are applied to computers, and therefore the GPO must be linked to an OU with computer objects. If you only linked this GPO to an OU with remote users, or if you changed the security filter ti only apply to a group of users, the computer settings will simply be ignored as they technically do not apply to the identified users.
0
Doug PoulinCTOAuthor Commented:
The GPO for the remote users shows two major sections.  Computer configuration and User Configuration.  The setting for IE only exists in the computer configuration section.  So do I have to create an OU and put all of the farm servers in it and then link the GPO to it?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Cliff GaliherCommented:
That would be the easiest way, yes.
0
Doug PoulinCTOAuthor Commented:
Ok, so I created the OU, and added the GPO to it, but I don't see where I add the farm servers to the OU.
If I look in AD there is already an OU called  "Computers", and the farm servers  are part of it.  There's even a security group setup in there which I could possibly use.  When I created the new OU in GP Manager, called "Farm Servers" it shows up in AD, however "Computers" doesn't show up in the Group Policy manager, so I want to make sure I do this right, but am unsure which way to go with this.
0
Cliff GaliherCommented:
"computers" is not an OU. It is a default container, but OUs have different properties than containers. Even the icons are different in ADUC to easily indicate there is a difference. Computers can be dragged and dropped in ADUC.
0
Doug PoulinCTOAuthor Commented:
OK.  We're getting closer.  I've moved the farm computers into the new OU.  I've re-run the query and fixed the security error that was preventing the GPO from being applied and now the report shows everything that it should.

I then went to both the farm servers and ran gpupdate /force and made sure that the group policy for those computers was in force.  However when I log on as a remote user the sites still don't show up.  I did notice that the users appear to have the ability to change the sites and maybe this is somehow related.

Is there a step I'm missing?
0
Cliff GaliherCommented:
Reboot the machine and verify the actual settings using the gpresult wizard. There are some settings that can only be applied during boot up so /force can prove ineffective. And the gpresult can show if a user setting is overriding the computer setting. Precedence comes into effect here.
0
Doug PoulinCTOAuthor Commented:
Ok.  I've rebooted the servers and things are showing up differently now.  The users now cannot change the trusted sites list.  However the sites I've put into the trusted sites list don't show up either.  I'm not sure if that is the way it works or not.  
One of the sites I've added is *.health.gov.bc.ca  
When the user tries to open the web site it comes up and says some content has been blocked and I think it may have links to other sites, so that is maybe ok but maybe not.
Then they need to look at any one of a number of pdf files on the site.  When they click on a link we get an error saying "You are attempting to download a file from a site that is not part of your Trusted sites... and it lists http://www.health.gov.bc.ca as the site.

If you want to look at the page in question here is the link.  It's a public government website.
http://www.health.gov.bc.ca/msp/infoprac/physbilling/payschedule/index.html
0
Cliff GaliherCommented:
As I said, use gpresult to actually verify settings using the machine *and user* being tested IE developer tools can also give you insight into what is going on.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Doug PoulinCTOAuthor Commented:
I'm having some problems running gpresult, so I need a little clearer direction.  We're running a remote desktop farm with a connection broker.
When I log onto remote desktop and try to run gpresult
gpresult /USER test99 /V
All I ever get returned is "User does not have any RSoP data".
If I run this replacing test99 with administrator it works.
I've tried running this on the domain controller as well thinking that maybe it had something to do with access to AD, but I get the same result. I've tried including the domain name in front of the user but again no difference.  I'm not sure if this is relevant but all of our remote users are put into a separate OU in active directory and are not included in the builtin User one.
0
Cliff GaliherCommented:
At this point I am going to suggest hiring a consultant. We are getting into basic troubleshooting here and providing that level of detail through EE just isn't practical.
0
Doug PoulinCTOAuthor Commented:
Thanks for your help to this point Cliff.  I appreciate your time, freely given and will consider your advice but for now I'll carry on without you and for the sake of others after me, I will document my progress in EE, because the whole point of this is to be a useful resource to people.

All you need to do is run "gpresult /v" without any switches from the test user account that you are looking at.

Running "GPResult /v" will get you only the user scope info unless you open the command window in run as administrator mode.  From then on you have to use "gpresult /user useraccount /v" which gets you all of the information for both the user scope and the computer scope.
0
Doug PoulinCTOAuthor Commented:
Two things outstanding.
1) I still can't understand why when I click on a pdf link on a trusted site page pointing to a link on that site, I get a popup saying you are trying to download a file from a site that is not part of your trusted sites...

2) When I add a site (*.domain.com) to the GPO as a trusted site, http:// for that site works, but https:// for that site doesn't.  So I can't seem to add https sites to the GPO  Putting https://*.domain.com doesn't seem to work either.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.