Re: At this point, I'm wondering if GPOs even work?

FWIW, what is set in a policy does not bubble up into the user interface.
Therefore while you think that the user has control over said setting, they
really don't.

"Nivek R." <obi_wan_1111@xxxxxxxxx> wrote in message
news:uiCdqeFgGHA.764@xxxxxxxxxxxxxxxxxxxxxxx
I'm exhausted. Any help would be greatly appreciated.

I'm running a 2003 AD, and am trying to enable and enforce pop-up blocking
in IE6 SP2 on XP SP2 PCs. I have 2 PCs in a Test OU and I'm applying a
Test GPO to them. Before configuring ANY policies, I unchecked the "Use
Pop-up Blocker" box on one and checked it on the other. First, I tried
setting "Turn off pop-up management" to "Disabled" in Comp. Config \
Windows Components \ Internet Explorer, and "Use Pop-up Blocker" to
"Enabled" in Comp. Config \ Windows Components \ Internet Explorer \
Internet Control Panel \ Security Page \ [All] Zone[s] (that is, I set it
to enabled for each and every zone). It didn't work, even after going
through all relevant troubleshooting steps in Microsoft's 53-page Group
Policy Troubleshooting Document (gp_troubleshooting.doc). In the process,
I ensured that DNS was working properly (nslookup from affected clients),
ensured GPOs were replicating between domain controllers (gpotool.exe,
sonar.exe), ensured no GPOs nor local policy were superseding my Test GPO
(Blocked Inheritance of DDP and other GPOs, Enforced my GPO), ensured my
clients were getting the correct GPOs and Policies (gpresult.exe,
rsop.msc, userenv.log), ensured firewall was not blocking gpupdates
(turned off firewall on both machines, you never know with Windows
Firewall so I did this "just in case"), and verified the integrity of
GPO-related files using sfc /scannow.

After about 1 1/2 days of troubleshooting, I ran across KB Article 843016,
which infers that I should be doing this in User Config, not Computer
Config (so why do these settings even exist in Computer Config if they
don't work?). So I disabled all of my computer settings, did gpupdate
/force on my clients and ensured that I was back at square one. I then
set "Turn off pop-up management" to "Disabled" and "Use Pop-up Blocker" to
"Enabled" (for ALL zones) in the USER config AND IT ACTUALLY WORKED!
Well, sort of...

After I got it to work, I went in as the user (without admin rights, mind
you), and unchecked the "Use Pop-up Blocker" box in IE. I then gave the
machine some time to rest (and some time for GPOs to re-assert
themselves), rebooted a couple of times just to be superstitious, did a
couple of "gpupdate /force" commands in between, and went back into IE,
only to find that THE "USE POP-UP BLOCKER" BOX REMAINED UNCHECKED! Just
to try to "goose" the servers, I disabled the "Enforced" and "Block
Inheritance" features and re-enabled them. I waited long enough for GPOs
to replicate among DCs again, and went back through the whole gamut of
tools to verify everything was as it was supposed to be (gpotool,
gpresult, rsop, sonar, the GPMC - Including GP Modeling and GP Results
wizard. All of the settings appear to be percolating as they're supposed
to, however there's one oddity:

-When I look at the "Settings" tab in the GPMC to view the applied
settings of my GPO in HTML format, I see the setting for the policy "Use
Pop-up Blocker" as being "Enabled" for all zones, but underneath each
zone, I see a subheading in light blue that says either "Enable" or
"Disable" depending upon the zone (see attached). I think this is showing
me the default setting, as KB Article 182569 indicates that Pop-up blocker
is disabled in these same zones by default.

I really don't want to have to give regular users access to registry
editing tools in order to get this policy to stick (otherwise I'd just
drop a .reg entry into a logon batch file). I want the GPO to deliver and
enforce the policy. I think I have the same thing going on when trying to
encrypt my Offline Files Cache through GPOs. I'd also like to apply a
policy that allows firewall exceptions for wuauclt.exe. But to ensure
that all of these policies are actually going to work, I'd like to get
this one working first. Please help.

-Nivek R.




.

Relevant Pages

  • Re: Changes to default Group Policy
    ... I am already using GPMC to manage GPOs. ... Policy and Default Domain Controllers Policy was first created? ... settings, I find comparing manually to be very time consuming. ... if there was a tool that I could use that would compare the default policies ...
    (microsoft.public.windows.group_policy)
  • Re: Hang @ Applying Computer Settings/Applying Your Personal Setti
    ... each DC and they came back with all Passed or Policy OK. ... Group Policy was applied from: ... The user received "Registry" settings from these GPOs: ... The user received "Internet Explorer Branding" settings from these GPOs: ...
    (microsoft.public.windows.group_policy)
  • Re: Group policy-information stored
    ... It might help if it you can post your computer configuration gpresult from a domain ... Domain account/password policy may not apply to local machine accounts for domain ... The computer received "Registry" settings from these GPOs: ...
    (microsoft.public.win2000.group_policy)
  • Re: 2000 server NT clients
    ... NT won't understand GPOs, you need Win2K clients or newer. ... Migrates settings from Windows NT 4.0 policy files to the Windows 2000 Group ...
    (microsoft.public.win2000.group_policy)
  • Re: scripted logon
    ... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
    (microsoft.public.windows.terminal_services)