| Author | Messages | |
kcnychief
Posts:0
 | | 08/06/2010 3:55 PM |
| Hi List,
I have an Internet Explorer setting GPO at the root level of the domain, which, among other things, manages trusted sites and ActiveX behavior for the Trusted Site zone. I have a need to apply different settings to an OU that contains machines for Windows XP. So, I created the GPO, linked it only to that OU, used Internet Explorer Maintenance to apply my settings (from a Windows Vista PC, but since ESC is not enabled in either place I assume that should be OK), then made my changes.
I noticed the desired changes did not take effect on the XP machines after doing a gpupdate /force. I did a gpresult, saw that from a Computer perspective the GPO was being filtered out because it was empty, and it wasn't listed under the user result. I did a Group Policy Result on the Target PC, and here is pretty much what I saw -
Winning GPO
Default Domain Policy
These settings were applied only by GPOs that do not contain Internet Explorer Enhanced Security Configuration (ESC) settings because this computer does not have ESC enabled. ESC settings cannot be applied to this computer.
If I make the same changes to the Default Domain Policy (winning GPO), obviously things apply as they should. It is my understanding that policies will apply Local - Site - Domain - OU - Child OU, etc. - so the policy I made should be the last to apply. Would I need to use loopback processing here? What is the best way to have the different settings apply for this policy on the machines in this OU? Enforced?
Thanks in advance for what I'm sure is a simple question to those more familiar 
Derek
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
| | | |
| alps
Posts:5
| | 08/06/2010 3:55 PM |
| Derek,
ESC policies are users/group specific and they do not apply on Computers OU. You will have to enable loop back processing. Also the policy at the OU level will take precedence over the Default domain policy if any conflicts occur. No need to enforce or block policy inheritance in any case. They just are difficult to manage and troubleshoot at times if you are not aware of enforced policies and BPI.
Find the article that best describes how the GPOs are applied.
http://blogs.technet.com/b/grouppolicy/archive/2009/12/17/why-didn-t-my-group-policy-settings-apply.aspx
Thanks and Regards,
Alpesh S Kumar
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Rose
Sent: Wednesday, June 02, 2010 4:14 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Cleanup of GPO
Hi List,
I have an Internet Explorer setting GPO at the root level of the domain, which, among other things, manages trusted sites and ActiveX behavior for the Trusted Site zone. I have a need to apply different settings to an OU that contains machines for Windows XP. So, I created the GPO, linked it only to that OU, used Internet Explorer Maintenance to apply my settings (from a Windows Vista PC, but since ESC is not enabled in either place I assume that should be OK), then made my changes.
I noticed the desired changes did not take effect on the XP machines after doing a gpupdate /force. I did a gpresult, saw that from a Computer perspective the GPO was being filtered out because it was empty, and it wasn't listed under the user result. I did a Group Policy Result on the Target PC, and here is pretty much what I saw -
Winning GPO
Default Domain Policy
These settings were applied only by GPOs that do not contain Internet Explorer Enhanced Security Configuration (ESC) settings because this computer does not have ESC enabled. ESC settings cannot be applied to this computer.
If I make the same changes to the Default Domain Policy (winning GPO), obviously things apply as they should. It is my understanding that policies will apply Local - Site - Domain - OU - Child OU, etc. - so the policy I made should be the last to apply. Would I need to use loopback processing here? What is the best way to have the different settings apply for this policy on the machines in this OU? Enforced?
Thanks in advance for what I'm sure is a simple question to those more familiar
Derek
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
This communication is for informational purposes only. It is not
intended as an offer or solicitation for the purchase or sale of
any financial instrument or as an official confirmation of any
transaction. All market prices, data and other information are not
warranted as to completeness or accuracy and are subject to change
without notice. Any comments or statements made herein do not
necessarily reflect those of JPMorgan Chase & Co., its subsidiaries
and affiliates.
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to European legal entities.
| | | |
|
|