group policy preferences

Discussion in 'Active Directory' started by John Whites, Apr 22, 2008.

  1. John Whites

    John Whites Guest

    Has anyone had any problems with the preferences not working
    correctly/acting funny?

    For instance:

    I created a NEW OU blocked policy inhertance(to make sure NOTHING was
    interfering), then linked a new gpo to this OU and applied a new IE7
    preference setting, and in it I changed the security level to medium and the
    homepage url.

    So i dropped a user in this new ou and logged in and bam...nothing was
    applied. I'm having lots of trouble getting these IE settings to apply in
    other areas of my domain as well.

    Also the tool to edit the IE7 preferences appears to be bugged...you'll
    notice if you hit custom on the security settings and if you change
    something or whatever and hit ok..if you go back, whatever you changed most
    likely will not be changed. It will be back to default...an example of a
    setting is "run signed active x controls". You can change it to enable, and
    hit ok. If you go back it will be set at "prompt" no mater what you do.
     
    John Whites, Apr 22, 2008
    #1
    1. Advertisements

  2. John Whites

    Herb Martin Guest

    1) Blocking inheritance should seldom be used

    2) Blocking will NOT affect a No Override (aka Enforced) Policy
    GPResult and RSoP are your friend.

    Check to see if:

    a) the policy was applied

    b) what other policies were applied (despite the block setting)

    Also, you may wish to use the /z (zuper verbose) switch for the GPResult
    program.
     
    Herb Martin, Apr 22, 2008
    #2
    1. Advertisements

  3. John Whites

    lforbes Guest

    Hi,

    Do you have any other Group Policies or are these the only ones? Are the
    other Group Policies working?

    More than likely if a policy doesn't apply, DNS is to blame. I am not sure
    of your setup but I have my DNS troubleshooting sheet here:

    http://www.sd61.bc.ca/windows2000/dns.htm

    I have my settings set fine and all my IE 7 settings are working.

    Also you might be able to use Group Policy Management Console to test what
    settings are applying.

    Cheers,
    Lara
     
    lforbes, Apr 23, 2008
    #3
  4. John Whites

    John Whites Guest

    Other settings are applying fine, just the IE7 homepage for instance will
    not apply. I've tried it in several different GPOs with several different
    users and it doesn't seem to be functioning correctly...I haven't had any
    problems with any other policies.
     
    John Whites, Apr 23, 2008
    #4
  5. John Whites

    John Whites Guest

    I tried that switch but it doesn't seem to list anything in the
    preferences...here's what I got for an example, however the GPO DOES have
    the IE7 settings (preferences)



    ----------------------------------------------------------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\test>gpresult /z

    Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 4/23/2008 at 8:29:50 AM


    RSOP results for USD\test on TST-WKS3 : Logging Mode
    -----------------------------------------------------

    OS Type: Microsoft Windows XP Professional
    OS Configuration: Member Workstation
    OS Version: 5.1.2600
    Domain Name: USD
    Domain Type: Windows 2000
    Site Name: Union
    Roaming Profile:
    Local Profile: C:\Documents and Settings\test
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=TST-WKS3,OU=script,DC=usd,DC=local
    Last time Group Policy was applied: 4/23/2008 at 6:53:32 AM
    Group Policy was applied from: srv-dc1.usd.local
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    ShockwaveTest
    Default Domain Policy
    Global Settings

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    Debugger Users
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    TST-WKS3$
    Domain Computers

    Resultant Set Of Policies for Computer:
    ----------------------------------------

    Software Installations
    ----------------------
    GPO: ShockwaveTest
    Name: Adobe Shockwave Player
    Version: 11.0
    Deployment State: Assigned
    Source:
    \\Srv-file2\software\share\Shockwave\sw_lic_fu
    ll_installer.msi
    AutoInstall: True
    Origin: Applied Application

    GPO: ShockwaveTest
    Name: Adobe Flash Player 9 ActiveX
    Version: 9.0
    Deployment State: Assigned
    Source:
    \\Srv-file2\software\share\Flash\install_flash
    _player_active_x.msi
    AutoInstall: True
    Origin: Removed Package

    GPO: ShockwaveTest
    Name: Adobe Shockwave Player
    Version: 11.0
    Deployment State: Assigned
    Source:
    \\Srv-file2\software\share\Shockwave\sw_lic_fu
    ll_installer.msi
    AutoInstall: True
    Origin: Removed Package

    GPO: ShockwaveTest
    Name: Adobe Flash Player 9 ActiveX
    Version: 9.0
    Deployment State: Assigned
    Source:
    \\Srv-file2\software\share\Flash\install_flash
    _player_active_x.msi
    AutoInstall: True
    Origin: Applied Application

    Startup Scripts
    ---------------
    N/A

    Shutdown Scripts
    ----------------
    N/A

    Account Policies
    ----------------
    GPO: Default Domain Policy
    Policy: MinimumPasswordAge
    Computer Setting: N/A

    GPO: Default Domain Policy
    Policy: PasswordHistorySize
    Computer Setting: N/A

    GPO: Default Domain Policy
    Policy: MinimumPasswordLength
    Computer Setting: N/A

    GPO: Default Domain Policy
    Policy: LockoutBadCount
    Computer Setting: N/A

    GPO: Default Domain Policy
    Policy: MaximumPasswordAge
    Computer Setting: 4294967295

    Audit Policy
    ------------
    N/A

    User Rights
    -----------
    N/A

    Security Options
    ----------------
    GPO: Default Domain Policy
    Policy: RequireLogonToChangePassword
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: PasswordComplexity
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: ForceLogoffWhenHourExpire
    Computer Setting: Not Enabled

    GPO: Default Domain Policy
    Policy: ClearTextPassword
    Computer Setting: Not Enabled

    Event Log Settings
    ------------------
    N/A

    Restricted Groups
    -----------------
    N/A

    System Services
    ---------------
    N/A

    Registry Settings
    -----------------
    N/A

    File System Settings
    --------------------
    N/A

    Public Key Policies
    -------------------
    N/A

    Administrative Templates
    ------------------------
    GPO: Global Settings
    Setting: Software\Policies\Microsoft\Windows
    NT\CurrentVersion\W
    inlogon
    State: Enabled


    USER SETTINGS
    --------------
    CN=test,OU=TestOU2,DC=usd,DC=local
    Last time Group Policy was applied: 4/23/2008 at 8:27:46 AM
    Group Policy was applied from: srv-dc1.usd.local
    Group Policy slow link threshold: 500 kbps

    Applied Group Policy Objects
    -----------------------------
    TestGPO2

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    LOCAL
    Public File Share Access

    Resultant Set Of Policies for User:
    ------------------------------------

    Software Installations
    ----------------------
    N/A

    Public Key Policies
    -------------------
    N/A

    Administrative Templates
    ------------------------
    N/A

    Folder Redirection
    ------------------
    N/A

    Internet Explorer Browser User Interface
    ----------------------------------------
    N/A

    Internet Explorer Connection
    ----------------------------
    N/A

    Internet Explorer URLs
    ----------------------
    N/A

    Internet Explorer Security
     
    John Whites, Apr 23, 2008
    #5
  6. John Whites

    John Whites Guest

    Interestingly enough, If I use the GPMC in Vista SP1 and look at the
    settings (that report thing) it shows all the other IE7 settings except the
    homepage I have specified (which is what I've been trying to get to work).
    So I edit the GPO again and look at that preference and yes, I have a
    homepage specified. I went to the SYSVOL and opened up the folder for that
    gpo and the preference folder for that gpo and the xml file and it has the
    homepage listed in there as welll...i'm not sure what's going on.
     
    John Whites, Apr 23, 2008
    #6
  7. John Whites

    John Whites Guest

    figured it out...sort of

    i opened the InternetSettings.xml on the sysvol for that GPO and found the
    part for the homepage:

    <Reg id="Homepage" disabled="1" type="REG_SZ" hive="HKEY_CURRENT_USER"
    key="Software\Microsoft\Internet Explorer\Main" name="Start Page"
    value=http://mysite.com/>



    I don't know why it said "disabled=1" but i changed it to 0 and now it
    works...is there a way to enable that from the interface?
     
    John Whites, Apr 23, 2008
    #7
  8. John Whites

    John Whites Guest

    Ahhh figured it out....it's F5....i banged my head against the wall over the
    simplist thing!
     
    John Whites, Apr 23, 2008
    #8
  9. John Whites

    lforbes Guest

    lforbes, Apr 26, 2008
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.