I've set my domain default GPO to force the IE zone settings to
"Medium" for the Internet template and "High" for the Restricted
template. The problem is that only about half of the computers (all XP
Pro) are using the settings. The remainer are retaining "Custom"
settings for their user accounts.
I've tried setting the GPO for both Computer Configuration and User
Configuration. The problem seems to apply to both the user account for
the user currently using the computer and for user accounts for
previous users of the computer (including some users who are no longer
have accounts).
Is there anything particular about pushing out GPO's to computers where
users have already set a "Custom" setting within their IE local
settings? If that's the problem, shouldn't a GPO override that?
Is there anything I can do to wipe out these custom settings remotely,
like a registry hack?
I'm getting this information from MS Baseline Security Analyzer 2.0.
Re: User Login ... The setting I'm referring to in item #1 is a Computer Configuration setting, so applying a GPO with this setting to an OU that only has User Accounts in it will have no affect whatsoever. ... The GPO must be applied to an OU that has Computer Accounts in it to be any use. ... If you want to, you can specify the user accounts in the GPO setting (Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment Deny log on locally), but I suspect it will be easier in the long run to specify a group name here and put the e-mail only user accounts into that group. ... the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer. ... (microsoft.public.windows.server.active_directory)
Re: Loopback policy enabled, seems to cause login script to run twice ... The scope of the Loopback processing setting is the computers to which the GPO containing it applies to, regardless of which actual GPO it is included in. ... the User Configuration settings from any GPO that applies to the computer are applied ... Sounds like you have included the setting that runs the Logon Script so high in the OU hierarchy that that GPO is in scope for both User accounts and Computer accounts. ... (microsoft.public.windows.group_policy)
Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops ... I suggest not mixing Computer Settings and User Settings in the same GPO - this restricts your flexibility and can be confusing ... if you put the laptops' user accounts into a seperate OU from the desktops, then you can use loopback processing to apply different User Configuration settings to the laptops and desktops if you also seperate out the settings you want to be different into seperate GPOs ... User Configuration, Network, Offline Files, "Do not automatically make redirected folders available offline" prevents that from happening BEFORE redirecting any folders - its not retro active. ... (microsoft.public.windows.group_policy)
Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops ... I suggest not mixing Computer Settings and User ... Settings in the same GPO - this restricts your flexibility and can be ... Configuration settings to the laptops and desktops if you also ... User Configuration, Network, Offline Files, "Do not ... (microsoft.public.windows.group_policy)
Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!! ... User and Computer settings a single GPO,.... OU with the Terminal Server computer accounts,... See in particular the section called "Group Policy Loopback... (microsoft.public.windows.group_policy)
