RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message In case anyone is interested, I finally figured out the problem. http://support.microsoft.com/default.aspx?scid=kb;en-us;311511 Thanks for everyones help. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 16:35 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Try turning that off (make it synchronous).
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 12:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Well it doesn't give a lot of info but the RegOpenKey failing on GetHKeyCU (Get a handle to the user's profile in HKEY_CURRENT_USER) looks like a problem. The policy extension can't access the user's profile. The strange thing is that it returns a 0x0, which usually means everything worked just fine. Here's a thought. Are these XP machines? If so, can you try something? On one of these machines thats having a problem, try enabling the following administrative template policy: Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon This ensures that policy processes synchronously rather than asynchronously. It would be interesting to see if this makes a difference. -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, August 13, 2003 12:15To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] Group Policy and IE Zone Security
Interestingly enough, I have that policy enabled (IE Maintenance policy processing). However, I do notice that when I go to the registry key mentioned in that article, the value is still set to 1, instead of 0. I changed it manually, and will reboot to see what happens. Does anyone know what would keep that registry key from changing when the IE Maintenance policy is set to apply? Okay... rebooted, and the zones are being reset again, and everything that I changed is gone (under the zones). Thanks, Charles -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, August 11, 2003 23:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Have you checked out this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;306915? Its not exactly the same but could be your problem. Darren attachment: winmail.dat
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Update: I have now noticed (beating my head on desk for not seeing it sooner) that the server also sees the reset of the site changes Meaning: 1) I log onto the server, change the site listings as needed under IE Maintenance/Security 2) Run Secedit, check to make sure changes are applied on workstation (they are). 3) Now I check the server, changes took place there as well. 4) Reboot *any* workstation, and the changes are gone. 5) Check server, changes are gone from there as well and from the policy. Any ideas? I have been unable to find anything even remotely close via google or technet. Thanks. Charles
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message You lost me on one part What are you referring to when you say Preference mode settings? As for local GPO IE settings, there are none set. I will enable the verbose logging and see what happens Thanks Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 13:21 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Just out of curiosity, are you using preference mode settings here? Things to check: -- Make sure you don't have any localGPOIE settings defined. Highly unlikely but worth checking. -- Enable verbose userenv.log logging to see if you can get a clue as to why this is happening. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833to enable this logging. Darren
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Well, I did a reset with no problems I tried setting to preference mode, but seem unable to input any changes. I tried adding the *.adm files for IE (inetcorp.adm and inetset.adm), however, when I go to access the settings, I see the following: The inetset.adm file is not for Windows 2000. These settings will not be displayed. I see the same error message for inetcorp.adm. When trying to access the Advanced settings under User Config/IE Maintenance/Advanced, I can see Corporate settings and Internet Settings listed. When I try to access either one of those policies, I get the following 2 errors: Source: DrWatson Event ID: 4097 The application, mmc.exe, generated an application error The error occurred on 08/13/2003 @ 08:41:52.547 The exception generated was c005 at address 02324FD8 (nosymbols) And Source: SQLServerAgent Category: Alert Engine Event ID: 318 Unable to read local eventlog (reason: The data area passed to a system call is too small). I am assuming that I am seeing these errors due to the problem stated above (that the *.adm file isnt for Windows 2000). Other than that I am at a loss as to what is happening. Any ideas? Thanks, Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 16:08 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security IE Maintenance has two modes--preference and mandatory. Preference says, hand down IE policy but then let the user change it whereas mandatory says, reinforce it all the time. You can see this by right clicking the IE Maintenance node and choosing either Preference mode or Reset Browser Settings. You might try a reset--I have seen weirdness around preference mode in the past.
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Try turning that off (make it synchronous). -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 12:46 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security These are all 2000 machines Under the GPO, I have Apply Group Policy Asynchronously for Users enabled. Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, August 13, 2003 13:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Well it doesn't give a lot of info but the RegOpenKey failing on GetHKeyCU (Get a handle to the user's profile in HKEY_CURRENT_USER) looks like a problem. The policy extension can't access the user's profile. The strange thing is that it returns a 0x0, which usually means everything worked just fine. Here's a thought. Are these XP machines? If so, can you try something? On one of these machines thats having a problem, try enabling the following administrative template policy: Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon This ensures that policy processes synchronously rather than asynchronously. It would be interesting to see if this makes a difference. -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, August 13, 2003 12:15To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message I enabled the logging, and am currently looking at the file. I dont see anything glaring out as an error, or showing that something was skipped Any suggestions as to where I should look in this log for the problem?? Thanks. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 12, 2003 13:21 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Just out of curiosity, are you using preference mode settings here? Things to check: -- Make sure you don't have any localGPOIE settings defined. Highly unlikely but worth checking. -- Enable verbose userenv.log logging to see if you can get a clue as to why this is happening. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833to enable this logging. Darren
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message Yuck (technical term). Dr. Watson isn't a good thing. Loading a Win2K .adm should not cause a Dr. Watson on the MMC. Not sure why you're getting a SQLServerAgent error--that's pretty unrelated to policy. If its possible, you may want to delete this GPO and start from scratch. It sounds like its sufficiently buggered up that starting over may be best. -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 5:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Well, I did a reset with no problems I tried setting to preference mode, but seem unable to input any changes. I tried adding the *.adm files for IE (inetcorp.adm and inetset.adm), however, when I go to access the settings, I see the following: The inetset.adm file is not for Windows 2000. These settings will not be displayed. I see the same error message for inetcorp.adm. When trying to access the Advanced settings under User Config/IE Maintenance/Advanced, I can see Corporate settings and Internet Settings listed. When I try to access either one of those policies, I get the following 2 errors: Source: DrWatson Event ID: 4097 The application, mmc.exe, generated an application error The error occurred on 08/13/2003 @ 08:41:52.547 The exception generated was c005 at address 02324FD8 (nosymbols) And Source: SQLServerAgent Category: Alert Engine Event ID: 318 Unable to read local eventlog (reason: The data area passed to a system call is too small). I am assuming that I am seeing these errors due to the problem stated above (that the *.adm file isnt for Windows 2000). Other than that I am at a loss as to what is happening. Any ideas?Thanks, Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, August 12, 2003 16:08To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security IE Maintenance has two modes--preference and mandatory. Preference says, "hand down IE policy but then let the user change it" whereas mandatory says, "reinforce it all the time". You can see this by right clicking the IE Maintenance node and choosing either Preference mode or "Reset Browser Settings". You might try a reset--I have seen weirdness around preference mode in the past.
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message IE Maintenance has two modes--preference and mandatory. Preference says, "hand down IE policy but then let the user change it" whereas mandatory says, "reinforce it all the time". You can see this by right clicking the IE Maintenance node and choosing either Preference mode or "Reset Browser Settings". You might try a reset--I have seen weirdness around preference mode in the past. -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 12:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security You lost me on one part What are you referring to when you say Preference mode settings? As for local GPO IE settings, there are none set. I will enable the verbose logging and see what happens Thanks Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, August 12, 2003 13:21To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Just out of curiosity, are you using preference mode settings here? Things to check: -- Make sure you don't have any localGPOIE settings defined. Highly unlikely but worth checking. -- Enable verbose userenv.log logging to see if you can get a clue as to why this is happening. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833to enable this logging. Darren
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message These are all 2000 machines Under the GPO, I have Apply Group Policy Asynchronously for Users enabled. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 13:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Well it doesn't give a lot of info but the RegOpenKey failing on GetHKeyCU (Get a handle to the user's profile in HKEY_CURRENT_USER) looks like a problem. The policy extension can't access the user's profile. The strange thing is that it returns a 0x0, which usually means everything worked just fine. Here's a thought. Are these XP machines? If so, can you try something? On one of these machines thats having a problem, try enabling the following administrative template policy: Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon This ensures that policy processes synchronously rather than asynchronously. It would be interesting to see if this makes a difference. -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 10:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security Okay This is what I have found in the userenv.log so far: ProcessGPOs: Processing extension Internet Explorer Branding ProcessGPOs: Extension Internet Explorer Branding skipped with flags 0x7 (Which should be fine since I dont use the GP to brand IE) ProcessGPOs: Processing extension Internet Explorer Branding CompareGPOLists: Different version numbers found ProcessGPOList: Entering for extension Internet Explorer Branding UserPolicyCallback: Setting status UI to Applying Internet Explorer Branding policy... GetHkeyCU: RegOpenKey failed with error 2 LibMain: Process Name: C:\WINNT\system32\rundll32.exe UserPolicyCallback: Setting status UI to Applying your personal settings... ProcessGPOList: Extension Internet Explorer Branding returned 0x0. ProcessGPOs: --- 734 ProcessGPOs: --- Those are the only lines that mention Internet Explorer Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 13, 2003 12:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy and IE Zone Security What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy.
RE: [ActiveDir] Group Policy and IE Zone Security
Title: Message What you're looking for is any log items from the IE Maintenance extension as it tries to process the policy during user logon. Look for messages as to whether it skipped processing for some reason or couldn't process the policy. -Original Message-From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 12:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security I enabled the logging, and am currently looking at the file. I dont see anything glaring out as an error, or showing that something was skipped Any suggestions as to where I should look in this log for the problem??Thanks. Charles -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Tuesday, August 12, 2003 13:21To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Group Policy and IE Zone Security Charles- Just out of curiosity, are you using preference mode settings here? Things to check: -- Make sure you don't have any localGPOIE settings defined. Highly unlikely but worth checking. -- Enable verbose userenv.log logging to see if you can get a clue as to why this is happening. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833to enable this logging. Darren
RE: [ActiveDir] Group Policy and IE Zone Security
Charles- Have you checked out this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;306915? Its not exactly the same but could be your problem. Darren -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Mon 8/11/2003 6:10 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Group Policy and IE Zone Security Still searching for an answer on this one Anybody have an idea? On the server, I set up the GPO to reflect certain sites under the Intranet and Trusted sites. I also set the GPO to disable the users ability to add/remove sites, and change their home page. As of right now, users can not add/remove sites from the Security Zones, nor can they change their default home page. (Which is what I wanted). However, each time any workstation reboots, the sites that I set under Intranet/Trusted are removed and what was originally there comes back. (i.e. free.aol.com, etc). Each time, on the server, I remove the specific zones, add the ones I want, then run secedit from the command prompt. Users receive the policy change no problem, until they reboot. Where should I look for the problem here? Im at a loss. Server: Windows 2000 AS SP4 Workstations: Windows 2000 SP4 Thanks. Charles winmail.dat
RE: [ActiveDir] Group Policy and IE Zone Security
Do you have your GPO set to apply the changes even when the GPO hasnt changed? If not, it may be worth enabled this option in your GPO: Computer Configuration/Administrative Templates/System/Group Policy/Internet Explorer Maintenance/Process even if Group Policy Objects have not changed Maybe this will fix the problem. Cheers, Matty From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: 05 August 2003 20:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Group Policy and IE Zone Security For the life of me Im being plagued with problems now. On the server, I set up the GPO to reflect certain sites under the Intranet and Trusted sites. I also set the GPO to disable the users ability to add/remove sites, and change their home page. As of right now, users can not add/remove sites from the Security Zones, nor can they change their default home page. (Which is what I wanted). However, each time any workstation reboots, the sites that I set under Intranet/Trusted are removed and what was originally there comes back. (i.e. free.aol.com, etc). Each time, on the server, I remove the specific zones, add the ones I want, then run secedit from the command prompt. Users receive the policy change no problem, until they reboot. Where should I look for the problem here? Im at a loss. Server: Windows 2000 AS SP4 Workstations: Windows 2000 SP4 Thanks. Charles