Solved

RDS/Terminal Server IE Security Zones

Posted on 2014-09-16
8
163 Views
Last Modified: 2015-04-19
Thank you in advance for all you help. I have a number of sites that are configured on the users profile on their windows 7 desktop via GPO for IE security levels and that is setup and working as expected.

Each user also has a Terminal Servies/RDS on my servers that is used as well for remote access. The server is a Windows 2008 R2 Enterprise running RDS. The sites do not get setup correctly under RDS.

Please help me figure out how to setup the sites under RDS as the are on the desktop. Thanks!
0
Comment
Question by:gpradmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40328033
simply create an OU for your Terminal servers and link the GPO you created for your users.


    Create a GPO for your IE settings, link it to the Terminal Services OU.
    Open GPO for IE settings
    Navigate to: User Configuration\Policies\Windows Settings\ Internet Explorer Maintenance\Security
    Change settings and click OK.
    Test by running gpupdate /force or have log off/on the Terminal Server.
0
 
LVL 15

Expert Comment

by:joharder
ID: 40328354
The IE Security settings are somewhat flaky and may not apply properly.

If the inherent GPOs do not work correctly for you, you should configure Group Policy Preferences / Registry in order to force the settings via registry.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 40329203
The other critical piece to becraig's solution is to make sure you enable Loopback processing in your group policy settings - It will be in the machine section, administrative templates, (I think under System/Group Policy).  

By default, the policies on the machine's OU will only process the machine settings.  The user settings are ignored.  However, Loopback changes that behavior.  If you have loopback turned on, then 1 of 2 things happens, depending on which model you pick.

1. Merge -the machine policies are applied, the user's policies are applied, and then the user policies from the machine's OU are applied.
2. Replace - the machine policies are applied, and then the user policies from the machine's OU are applied, and the user's OU policies are ignored.

I've used the IE maintenance settings for years without any issue.  *HOWEVER*.. and this is a big one... the IE Maintenance policies are *not* used with IE10 and above.  Only IE9 and earlier will use those policies you are setting.  If you need to use IE10 and up, then you need to use the Group Policy Preferences section to apply your settings.

Coralon
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:gpradmin
ID: 40331671
Thank you all for you suggestions. Ill test over the weekend on follow on Monday
0
 

Author Comment

by:gpradmin
ID: 40335482
I configured the loop back and that did not work. I also configuered the user setting in the TS user settings to match the default policy user settings.

I got an message about upadting the .adm files, but when I looked at the MS site the .adm files they show as current are from 2008.

This is the exact error I get when running a gpupdate / force

"Updating Policy...

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.
Computer Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results."

The Settings are currentky in user config/Admin Templates/Interenet explorer/Internet control Panel/Security/Site to Zone Assignement.

Any thought?
0
 

Author Comment

by:gpradmin
ID: 40335499
Also I am having a hard time configuring the IE Enhance Security to be disable in Server manager for both users and admins, but when I log in as a use it shows it still enabled - any ideas?
0
 
LVL 25

Expert Comment

by:Coralon
ID: 40335723
Did you confirm the IE version?
Can you post your file from the gpresult /h?

Coralon
0
 
LVL 15

Accepted Solution

by:
joharder earned 500 total points
ID: 40339206
IE ESC is painful to configure via GPO.  Another case where the GPO just doesn't "listen" to what it's being told to do.  It reverts back to enabled -- and is there anyone that keeps IE ESC enabled???

Set these items via registry GPP for computers:
1. Disable IE ESC for admins:
Action Update
PropertiesHive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Value name IsInstalled
Value type REG_DWORD
Value data 0x0 (0)

2. Disable IE ESC for users:
Action Update
PropertiesHive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Value name IsInstalled
Value type REG_DWORD
Value data 0x0 (0)
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question