I thought I knew Group Policy but Obviously I don't

[George Hester]

I want to make it so my clients cannot change their Homepage in IE. So I went to Start | Run | mmc | added the Group Policy for clients in the domain | OK.

In that I set the policy which disallows changing the homepage. Well that works great on the clients. BUT also on the domain controller which I do not want. What have I done wrong? Thanks.

 

[Mark Renoden [MSFT]]

Hi George

I think this setting is a user configuration setting which means it applies
to all users in the heirarchy below the OU to which the GPO is linked.
You'll want to create an OU which includes all user accounts that are not
administrators and link the GPO here that sets the disable changing of
homepage setting.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

I want to make it so my clients cannot change their Homepage in IE. So I
went to Start | Run | mmc | added the Group Policy for clients in the domain
| OK.

In that I set the policy which disallows changing the homepage. Well that
works great on the clients. BUT also on the domain controller which I do
not want. What have I done wrong? Thanks.

 

[Guest]

George,

Something simple to do is controlling who the GPO is applied by use of a
group(s) instread of the Authenticated Users default. Create a group out
there called - for example - POL_DENY_CHANGEHOMEPAGE. Put all the users in
there that you want it to apply to and then add/apply that folder into the
GPO instead of the Authenticated Users.

This is how I manage most of my GPO's anyway. I rarely ever use
Authenticated Users simply so I have some control.

 

[George Hester]

Yes I did that Kevin. It got overridden. Didn't work.

 

[Philip Nunn]

I think you may want to look at Loopback policy processing and set this on a
GPO that affects your DC's "Computer Config>Admin templates>system>group
policy" the setting you want is User Group Policy loopback processing mode;
set it to Replace. What this will do is apply the user settings that affect
the computer, not the ones normally assinged to the user. so as long as the
"disable changing homepage" setting is not on any GPO that is linked to the
OU where your DC's are then this should work for you.

Philip Nunn

Yes I did that Kevin. It got overridden. Didn't work.

 

[George Hester]

Philip that may be what is necessary I do not know because I am not familiar with what you said. But I can tell you I
did it this way:

Start | Run | mmc | OK | Console | Add\Remove Snap-in... | Add... | Group Policy | Add | Browse... | Computers |
Another Computer | I chose the client (only one) | OK | OK | Finish | Close | OK Saved the Console settings.

Then here I disabled the ability of the homepage to be changed which looked good until a IE vulnerability changed it.

That is not good enough?

 

[Philip Nunn]

the settings that i gave you are so that the policy is not applied to your
DC's or any computer objects that fall into the scope of the gpo that has
the loopback policy in place. If i were you i would seriously recommend
that you use the Group Policy Management Console (GPMC) to make changes to
your GPO's. here is a link for the download
http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
you then need to set this policy and link the gpo you create to any OU that
you want the "cannot change homepage" setting. or just link it at the
domain level and everyone will get it.

Philip Nunn

Philip that may be what is necessary I do not know because I am not familiar
with what you said. But I can tell you I
did it this way:

Start | Run | mmc | OK | Console | Add\Remove Snap-in... | Add... | Group
Policy | Add | Browse... | Computers |
Another Computer | I chose the client (only one) | OK | OK | Finish | Close
| OK Saved the Console settings.

Then here I disabled the ability of the homepage to be changed which looked
good until a IE vulnerability changed it.

That is not good enough?

 

[George Hester]

Ugh I cannot use that download. It only runs on Windows XP or Windows 2003 none of which I have. I am strictly a
Windows 2000 domain.

I found this article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287

So what I did in the same console I mentioned earlier I reset the disable the homepage AND did what that article said
to do to enable the loopback feature. So far so good? There is a gpedit.msc in C:\WINNT\system32 and from what
you said I should have enabled this feature in that the Default Domain Policy. If that's correct it is easily changed.

--
George Hester
_________________________________

the settings that i gave you are so that the policy is not applied to your
DC's or any computer objects that fall into the scope of the gpo that has
the loopback policy in place. If i were you i would seriously recommend
that you use the Group Policy Management Console (GPMC) to make changes to
your GPO's. here is a link for the download
http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
you then need to set this policy and link the gpo you create to any OU that
you want the "cannot change homepage" setting. or just link it at the
domain level and everyone will get it.

Philip Nunn

Philip that may be what is necessary I do not know because I am not familiar
with what you said. But I can tell you I
did it this way:

Start | Run | mmc | OK | Console | Add\Remove Snap-in... | Add... | Group
Policy | Add | Browse... | Computers |
Another Computer | I chose the client (only one) | OK | OK | Finish | Close
| OK Saved the Console settings.

Then here I disabled the ability of the homepage to be changed which looked
good until a IE vulnerability changed it.

That is not good enough?