RE: IE Security Group Policy

Hello Customer,

Thanks for posting here.

According to your description, I understand that SBS users need to input
username and password to access the Companyweb and the GPO did not apply on
correct clients. If I have misunderstood the problem, please do not
hesitate to let me know.

Based on my research, please ensure all clients are login domain. And then,
I suggest we try the following steps to see if we can resolve this issue:

Step 1:
1. In the Security filtering of the GPO, please select the user account or
groups who need to apply this GPO.

2. Ran gpupdate /force on the server

3. Log off and log on one time and client machine.

Step 2: Check the IIS settings on the SBS Server:

1. Run 'inetmgr' (without the quotation marks) on the command prompt on
the SBS Server, expand Web Sites, right-click Companyweb and select
Properties.

2. Click the Directory Security tab, click Edit for 'Authentication and
access control'.

3. Make sure the 'Integrated Windows authentication' option is only
checked.

4. Run 'iisreset' (without the quotation marks) on the command prompt on
the SBS Server, and then try again.

Step 3: Check the IE settings on the client workstation:

1. Open Internet Options.

2. Click the Security tab and select Local intranet.

3. Click Custom Level and select "Automatic logon only in Intranet zone" or
"Automatic logon with current username and password" option.

4. Access http://companyweb again.

Step 4: Delete Enhanced Security Settings component in IE7 on all clients
and SBS server:

a. Open Control Panel on your Problematic machines, went to Add/Remove
Programs->Add/Remove Windows Components

b. Uninstall Internet Explorer Enhanced Security by unchecking the name.

c. Restarted IE 7.

d. Test this issue.

If the issue persists, please kindly help me collect some information for
further investigation:

1. Please describe your symptom more clearly.

2. Is there any IE6 client? Can they apply the GPO and access companyweb
success?

3. Gather the error message and let me know

4. Gather metabase:

a. Install .NET Framework Version 1.1:
http://www.microsoft.com/downloads/details.aspx?FamilyID=262d25e3-f589-4842-
8157-034d1e7cf3a3&DisplayLang=en.

b. Install MBExplorer by installing IIS 6 Resource Kit Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71A-4C73-
B628-ADE629C89499&displaylang=en.

c. Once it is installed, access it from Start, Programs, IIS Resources,
Metabase Explorer.

d. In the left pane, right click ''LM'' (under your server computer name)
to choose ''Export to file'', and then save it as IIS.mbk.

e. Compress this mbk file and send it to me for analysis.

Please send these log files to my mailbox: v-terliu@xxxxxxxxxxxxx

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| NNTP-Posting-Date: Tue, 02 Jan 2007 10:07:13 -0600
| Date: Tue, 02 Jan 2007 10:07:07 -0600
| From: QBS <brent@xxxxxxxxxxxxxxxxxxx>
| User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
| MIME-Version: 1.0
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: IE Security Group Policy
| Content-Type: text/plain; charset=ISO-8859-1; format=flowed
| Content-Transfer-Encoding: 7bit
| Message-ID: <2c-dncd-Y76sHgfYnZ2dnUVZ_vCknZ2d@xxxxxxxxxxxxxx>
| Lines: 53
| NNTP-Posting-Host: 69.29.89.166
| X-Trace:
sv3-6OMmW04uwWSJUSC4qnEv48vCxIWNPyucxQHJjYGpMfpHZt38k8UU0Ej3qLGELA/Xotxu7mMc
TLq9a6c!vGjZLezf6PQLh30a8ZO7hY6szXzomTRJSZa4EWEiOE2KhieMWKv4NRTjw3MxvuEWQGrv
pQGVIkma!DN4AJmyjww4AZqEFzy+dU7lNre0zwWjZxlGn
| X-Complaints-To: abuse@xxxxxxxxxxxxxx
| X-DMCA-Complaints-To: abuse@xxxxxxxxxxxxxx
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!border1.nn
tp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.cen
turytel.net!news.centurytel.net.POSTED!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:7630
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I am figuring things out as I go here, but I think I am finally stuck:
| I created two GPOs for IE security - to resolve the problem below that I
| never posted. Here's what I did - can someone tell me why it doesn't
work?
|
| 1) Disabled IE Enhanced Security on server
| 2) GPMC -> Forest -> Domains -> Domain :xxx.local -> Group Policy
| Objects -> New -> Edit -> User Config -> Windows Settings -> Internet
| Explorer Maintenance -> Security -> Security Zones and Ratings -> Import
| Current Security Zones
| 3) Enable IE Enhanced Security on server
| 4) Repeat step 2
| 5) Drag & Drop 2 new GPOs to Domain : xxx.local - did this link it
| correctly?
|
| This does not force the settings as I had desired. When I run the
| settings report on the Enhanced GPO, it looks right. When I run the
| settings report on the non-Enhanced GPO, an unknown error occurs when
| generating the HTML report. When I log into a client machine (IE6,
| non-enhanced security, I think - How to check?) I still have the same
| problem as below.
|
| Thanks much.
|
| --------------------another post that never made it---------------------
|
| Can group policy (or other method) be used to force companyweb to be
| part of the Local Intranet Zone in IE? For whatever reason, most users
| on this new domain have none of the options checked and no sites in
| IE->Options->Local Intranet->Sites. I don't want to have to have each
| user edit by hand. My reason for asking is below, which was to be part
| of another post, until I found that *this* was the cause of my problems.
|
| ------------------------------Previously composed post------------
|
| Some but not all users are asked to enter user/pass when navigating to
| companyweb.
|
| New server w/ SBS2003 R2 preinstalled , XP clients. If I remember
| right, this was not an issue initially. I have added roaming profiles
| since.
|
| I (with an Admin account) can use companyweb on the server w/o being
| asked. I checked on 2 client machines, I am asked to re-enter user/pass
| (current password works). On one of the client machines, I tried other
| user accounts (Admin, Power User, Mobile User, Domain User) -- the
| Domain User did not require further authentication, the other 3 did.
|
| IOW, it would seem to be a user rights issue (except that I browse from
| the server w/o a problem). I do not see the difference between the user
| that works and the other users that do not work (all users created with
| the wizard).
|
| Much thanks for your help.
|

.

Relevant Pages

  • Re: IE Security Group Policy
    ... For force companyweb to be part of the Local Intranet Zone in IE by GP, ... select Create and Link a GPO Here. ... Security -> Security Zones and Content Ratings ... Double click Security Zones and Content Ratings, ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy is now inhibiting the Administrator account
    ... under Group Policy Objects - those are the individual GPOs. ... You can apply any given GPO to one or more OUs, ... I use all of the default security in SBS, ... log on to the server with your own account. ...
    (microsoft.public.windows.server.sbs)
  • RE: Running TS on DC
    ... but create a GPO that will apply to the server: ... Security - Security Zones and Content Ratings ... can force the same settings to all that logs into it. ... services" to enable user account to login to the Dc/terminal server. ...
    (microsoft.public.windows.terminal_services)
  • Locking down TS on Domain Controller...
    ... I would like to lock down the Terminal Server experience for those five ... Everything (minus the TS Lockdown GPO) is working. ... one more point - on the SECURITY tab of the GPO I removed Authenticated ...
    (microsoft.public.windows.terminal_services)
  • RE: Win 200 TS in Win 2003 Domain
    ... You need to have the security right to allow you to log on - check there. ... Well now the TS server will not allow anyone ... > but admin groups to logon interactivly. ... > had in the old GPO in to the 2003 GPO, plus I added the appropriate one's for ...
    (microsoft.public.win2000.termserv.apps)