Re: IE Security Group Policy
- From: QBS <brent@xxxxxxxxxxxxxx>
- Date: Sun, 07 Jan 2007 00:32:17 -0600
Completed Steps 1 and 2. My goal is/was to avoid having to do Step 3/Step 4 on each client computer (adding companyweb to the Local Intranet/Trusted Sites fixes the problem). All clients were IE6. Tested with one client - upgraded to IE7, which fixed the problem - apparently the GPO is applied to IE7 (and not 6?) or the default settings for the client IE7 installation now work for the companyweb on the Intranet. Unfortunately, IE7 appears to conflict with some installed applications - so IE7 upgrade is not the best option for all right now...
When I click the details tab for the non-enhanced security GPO, the report errors out (unknown error) - why is this happening? Is this related to the reason why the GPO is not applied to the IE6 clients?
Thanks
Terence Liu [MSFT] wrote:
Hello Customer,.
Thanks for posting here.
According to your description, I understand that SBS users need to input username and password to access the Companyweb and the GPO did not apply on correct clients. If I have misunderstood the problem, please do not hesitate to let me know.
Based on my research, please ensure all clients are login domain. And then, I suggest we try the following steps to see if we can resolve this issue:
Step 1: 1. In the Security filtering of the GPO, please select the user account or groups who need to apply this GPO.
2. Ran gpupdate /force on the server
3. Log off and log on one time and client machine.
Step 2: Check the IIS settings on the SBS Server:
1. Run 'inetmgr' (without the quotation marks) on the command prompt on the SBS Server, expand Web Sites, right-click Companyweb and select Properties.
2. Click the Directory Security tab, click Edit for 'Authentication and access control'.
3. Make sure the 'Integrated Windows authentication' option is only checked.
4. Run 'iisreset' (without the quotation marks) on the command prompt on the SBS Server, and then try again.
Step 3: Check the IE settings on the client workstation:
1. Open Internet Options.
2. Click the Security tab and select Local intranet.
3. Click Custom Level and select "Automatic logon only in Intranet zone" or "Automatic logon with current username and password" option.
4. Access http://companyweb again.
Step 4: Delete Enhanced Security Settings component in IE7 on all clients and SBS server:
a. Open Control Panel on your Problematic machines, went to Add/Remove Programs->Add/Remove Windows Components
b. Uninstall Internet Explorer Enhanced Security by unchecking the name.
c. Restarted IE 7.
d. Test this issue.
If the issue persists, please kindly help me collect some information for further investigation:
1. Please describe your symptom more clearly.
2. Is there any IE6 client? Can they apply the GPO and access companyweb success?
3. Gather the error message and let me know
4. Gather metabase:
a. Install .NET Framework Version 1.1: http://www.microsoft.com/downloads/details.aspx?FamilyID=262d25e3-f589-4842-
8157-034d1e7cf3a3&DisplayLang=en.
b. Install MBExplorer by installing IIS 6 Resource Kit Tools: http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71A-4C73-
B628-ADE629C89499&displaylang=en.
c. Once it is installed, access it from Start, Programs, IIS Resources, Metabase Explorer.
d. In the left pane, right click ''LM'' (under your server computer name) to choose ''Export to file'', and then save it as IIS.mbk.
e. Compress this mbk file and send it to me for analysis.
Please send these log files to my mailbox: v-terliu@xxxxxxxxxxxxx
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue.
Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| NNTP-Posting-Date: Tue, 02 Jan 2007 10:07:13 -0600
| Date: Tue, 02 Jan 2007 10:07:07 -0600
| From: QBS <brent@xxxxxxxxxxxxxxxxxxx>
| User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
| MIME-Version: 1.0
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: IE Security Group Policy
| Content-Type: text/plain; charset=ISO-8859-1; format=flowed
| Content-Transfer-Encoding: 7bit
| Message-ID: <2c-dncd-Y76sHgfYnZ2dnUVZ_vCknZ2d@xxxxxxxxxxxxxx>
| Lines: 53
| NNTP-Posting-Host: 69.29.89.166
| X-Trace: sv3-6OMmW04uwWSJUSC4qnEv48vCxIWNPyucxQHJjYGpMfpHZt38k8UU0Ej3qLGELA/Xotxu7mMc
TLq9a6c!vGjZLezf6PQLh30a8ZO7hY6szXzomTRJSZa4EWEiOE2KhieMWKv4NRTjw3MxvuEWQGrv
pQGVIkma!DN4AJmyjww4AZqEFzy+dU7lNre0zwWjZxlGn
| X-Complaints-To: abuse@xxxxxxxxxxxxxx
| X-DMCA-Complaints-To: abuse@xxxxxxxxxxxxxx
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
| X-Postfilter: 1.3.32
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!border1.nn
tp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.cen
turytel.net!news.centurytel.net.POSTED!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:7630
| X-Tomcat-NG: microsoft.public.windows.server.sbs
| | I am figuring things out as I go here, but I think I am finally stuck: | I created two GPOs for IE security - to resolve the problem below that I | never posted. Here's what I did - can someone tell me why it doesn't work?
| | 1) Disabled IE Enhanced Security on server
| 2) GPMC -> Forest -> Domains -> Domain :xxx.local -> Group Policy | Objects -> New -> Edit -> User Config -> Windows Settings -> Internet | Explorer Maintenance -> Security -> Security Zones and Ratings -> Import | Current Security Zones
| 3) Enable IE Enhanced Security on server
| 4) Repeat step 2
| 5) Drag & Drop 2 new GPOs to Domain : xxx.local - did this link it | correctly?
| | This does not force the settings as I had desired. When I run the | settings report on the Enhanced GPO, it looks right. When I run the | settings report on the non-Enhanced GPO, an unknown error occurs when | generating the HTML report. When I log into a client machine (IE6, | non-enhanced security, I think - How to check?) I still have the same | problem as below.
| | Thanks much.
| | --------------------another post that never made it---------------------
| | Can group policy (or other method) be used to force companyweb to be
| part of the Local Intranet Zone in IE? For whatever reason, most users
| on this new domain have none of the options checked and no sites in
| IE->Options->Local Intranet->Sites. I don't want to have to have each
| user edit by hand. My reason for asking is below, which was to be part
| of another post, until I found that *this* was the cause of my problems.
| | ------------------------------Previously composed post------------
| | Some but not all users are asked to enter user/pass when navigating to | companyweb.
| | New server w/ SBS2003 R2 preinstalled , XP clients. If I remember
| right, this was not an issue initially. I have added roaming profiles
| since.
| | I (with an Admin account) can use companyweb on the server w/o being
| asked. I checked on 2 client machines, I am asked to re-enter user/pass
| (current password works). On one of the client machines, I tried other
| user accounts (Admin, Power User, Mobile User, Domain User) -- the
| Domain User did not require further authentication, the other 3 did.
| | IOW, it would seem to be a user rights issue (except that I browse from
| the server w/o a problem). I do not see the difference between the user
| that works and the other users that do not work (all users created with
| the wizard).
| | Much thanks for your help.
|
- Follow-Ups:
- Re: IE Security Group Policy
- From: Terence Liu [MSFT]
- Re: IE Security Group Policy
- References:
- IE Security Group Policy
- From: QBS
- RE: IE Security Group Policy
- From: Terence Liu [MSFT]
- IE Security Group Policy
- Prev by Date: Re: IE Security Group Policy
- Next by Date: Re: Add servers to Remote Web Workplace list?
- Previous by thread: Re: IE Security Group Policy
- Next by thread: Re: IE Security Group Policy
- Index(es):
Relevant Pages
|
Loading
