Re: At this point, I'm wondering if GPOs even work?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Fri, 26 May 2006 06:34:28 -0700
Two things to factor into your experience/understanding of GPO . . .
1. at support.microsoft.com search on terms linking GPO, IE, admin
templates, IE admin kit, etc. and you will find quite a few "exception"
cases mentioned wherein the IE admin template does not always do
as one expects.
2. If a GPO has applied onto a system, and there is no later change
in the GPO, then its version numbering is not changed. In this case
the GPO is not reapplied unless policies have been set to always
reapply policies even when there has been no change. This means
that if the user can and does change the settings, they will stay that
way until the polcy is reapplied, such as when triggered by a change
in the governing GPO's version number.
"Nivek R." <obi_wan_1111@xxxxxxxxx> wrote in message
news:uiCdqeFgGHA.764@xxxxxxxxxxxxxxxxxxxxxxx
I'm exhausted. Any help would be greatly appreciated.
I'm running a 2003 AD, and am trying to enable and enforce pop-up blocking
in IE6 SP2 on XP SP2 PCs. I have 2 PCs in a Test OU and I'm applying a
Test GPO to them. Before configuring ANY policies, I unchecked the "Use
Pop-up Blocker" box on one and checked it on the other. First, I tried
setting "Turn off pop-up management" to "Disabled" in Comp. Config \
Windows Components \ Internet Explorer, and "Use Pop-up Blocker" to
"Enabled" in Comp. Config \ Windows Components \ Internet Explorer \
Internet Control Panel \ Security Page \ [All] Zone[s] (that is, I set it
to enabled for each and every zone). It didn't work, even after going
through all relevant troubleshooting steps in Microsoft's 53-page Group
Policy Troubleshooting Document (gp_troubleshooting.doc). In the process,
I ensured that DNS was working properly (nslookup from affected clients),
ensured GPOs were replicating between domain controllers (gpotool.exe,
sonar.exe), ensured no GPOs nor local policy were superseding my Test GPO
(Blocked Inheritance of DDP and other GPOs, Enforced my GPO), ensured my
clients were getting the correct GPOs and Policies (gpresult.exe,
rsop.msc, userenv.log), ensured firewall was not blocking gpupdates
(turned off firewall on both machines, you never know with Windows
Firewall so I did this "just in case"), and verified the integrity of
GPO-related files using sfc /scannow.
After about 1 1/2 days of troubleshooting, I ran across KB Article 843016,
which infers that I should be doing this in User Config, not Computer
Config (so why do these settings even exist in Computer Config if they
don't work?). So I disabled all of my computer settings, did gpupdate
/force on my clients and ensured that I was back at square one. I then
set "Turn off pop-up management" to "Disabled" and "Use Pop-up Blocker" to
"Enabled" (for ALL zones) in the USER config AND IT ACTUALLY WORKED!
Well, sort of...
After I got it to work, I went in as the user (without admin rights, mind
you), and unchecked the "Use Pop-up Blocker" box in IE. I then gave the
machine some time to rest (and some time for GPOs to re-assert
themselves), rebooted a couple of times just to be superstitious, did a
couple of "gpupdate /force" commands in between, and went back into IE,
only to find that THE "USE POP-UP BLOCKER" BOX REMAINED UNCHECKED! Just
to try to "goose" the servers, I disabled the "Enforced" and "Block
Inheritance" features and re-enabled them. I waited long enough for GPOs
to replicate among DCs again, and went back through the whole gamut of
tools to verify everything was as it was supposed to be (gpotool,
gpresult, rsop, sonar, the GPMC - Including GP Modeling and GP Results
wizard. All of the settings appear to be percolating as they're supposed
to, however there's one oddity:
-When I look at the "Settings" tab in the GPMC to view the applied
settings of my GPO in HTML format, I see the setting for the policy "Use
Pop-up Blocker" as being "Enabled" for all zones, but underneath each
zone, I see a subheading in light blue that says either "Enable" or
"Disable" depending upon the zone (see attached). I think this is showing
me the default setting, as KB Article 182569 indicates that Pop-up blocker
is disabled in these same zones by default.
I really don't want to have to give regular users access to registry
editing tools in order to get this policy to stick (otherwise I'd just
drop a .reg entry into a logon batch file). I want the GPO to deliver and
enforce the policy. I think I have the same thing going on when trying to
encrypt my Offline Files Cache through GPOs. I'd also like to apply a
policy that allows firewall exceptions for wuauclt.exe. But to ensure
that all of these policies are actually going to work, I'd like to get
this one working first. Please help.
-Nivek R.
.
- Prev by Date: Re: Misconfigured Registry Based ADM File
- Next by Date: Re: Misconfigured Registry Based ADM File
- Previous by thread: Re: At this point, I'm wondering if GPOs even work?
- Next by thread: Re: folder redirection of users desktop
- Index(es):
Relevant Pages
|
