Registry-based GPO for IE6 SP1 on Win2K

[Guest]

We used a W2K3 server for a domain controller and are planning to join all
the Win2K professional workstations to the domain. Before this, some WinXP
machines are already joined to this domain.

One of the GPOs for the WinXP machines is concerning IE preferences only,
i.e. using .adm files to set registry values of IE, such as zone levels, IE
title string etc., and "Registry policy processing" in the GPO is "Not
configured". We suppose that this policy only affects the client settings
once (only when the user profile is newly created). This works on WinXP.

We then copy the policy for Win2K. We find that 3 out of 4 testing machines
do not have the expected result. The failure is that, the GPO has applied as
we can see from using the tool "GPResult", and also "ntuser.pol" in
%allusersprofile% and %userprofile%, but the most (not all, but almost all)
registry entries are not changed by the GPO even it is the first-time logon.
The remaining 1 machine however seems work as in the WinXP case.

We think that it is the problem solely for IE6 with Win2K, as the problem
vanishes if IE5.5 SP2 is used. Please help.

 

[Ryan Hanisco]

Remember that on a W2k3 server there are a number of GPOs that are made for
XP only and will not apply to a 2kPro workstation. Usually this is noted in
the full description of the policy. Microsoft does have a matrix of all the
Policy options in Excel format and which OS supports it. (I have it locally
but can't find it on the web site.)

Check your service packs on the servers and workstations to be sure you are
comparing apples to apples. It can make a difference.

 

[Guest]

Thanks for your advice. But the policies discussed here are registry-based.
Can't they be applied to W2K Pro?

Also, when we enable "Computer Configuration\Administrative
Templates\System\Group Policy\Registry policy processing", all these policies
can be applied.

The problem seems to be related to W2K with IE6 as mentioned in my previous
post. What's your comment?

 

[lforbes]

Thanks for your advice. But the policies discussed here are
registry-based.
Can't they be applied to W2K Pro?

Also, when we enable "Computer ConfigurationAdministrative
TemplatesSystemGroup PolicyRegistry policy processing", all
these policies
can be applied.

The problem seems to be related to W2K with IE6 as mentioned
in my previous
post. What's your comment?


 > > We used a W2K3 server for a domain controller and
are planning to join all
 > > the Win2K professional workstations to the domain.
Before this, some WinXP
 > > machines are already joined to this domain.
 > >
 > > One of the GPOs for the WinXP machines is concerning
IE preferences only,
 > > i.e. using .adm files to set registry values of IE,
such as zone levels,
 > > title string etc., and "Registry policy processing"
in the GPO is "Not
 > > configured". We suppose that this policy only
affects the client settings
 > > once (only when the user profile is newly created).
This works on WinXP.
 > >
 > > We then copy the policy for Win2K. We find that 3
out of 4 testing
 > > do not have the expected result. The failure is
that, the GPO has applied
 > > we can see from using the tool "GPResult", and also
"ntuser.pol" in
 > > %allusersprofile% and %userprofile%, but the most
(not all, but almost
 > > registry entries are not changed by the GPO even it
is the first-time
 > > The remaining 1 machine however seems work as in the
WinXP case.
 > >
 > > We think that it is the problem solely for IE6 with
Win2K, as the problem
 > > vanishes if IE5.5 SP2 is used. Please help.

Hi,

These settings should be applying for Windows 2000 as well as XP. I
have 500 clients with IE 6 SP1 with a mixture of XP and 2000 and I
have locked IE down as tight as one can with no problems.

By the way the "policies" that according to MS "only" work on XP
actually work on Windows 2000 as well. The only ones that are "XP
only" are the ones that deal with the new XP interface.

The problem may be caused by a number of factors, but I think this is
your problem.

Make sure you are setting the policies in the <b>UserConfig-Windows
Settings-Internet Explorer Maintenance</b> part of Group Policy. This
is not an adm but this is where IE settings are done.

If you create your Own ADM it Won’t be applied unless you specify the
certain "policy" section of the registry and even then I haven’t had
much luck. However, I haven’t found the need to create any of my own
adm’s for Windows 2000 as Group Policy has almost all covered. I
wanted to create one to turn on the numlock but it didn’t work with
Windows 2000 Server.

Windows 2000 processed adm’s very differently from NT 4.0 and
therefore all the old NT 4.0 adm’s have to be re-written for AD.

Cheers,

Lara

 

[Guest]

Thanks for your abundant information. But could anybody explain why the
policies can be applied successfully using W2K w/ IE5.5?? I still think it is
the problem of IE6.

I know using IE maintenance is better. I am just a small potato in my
company and cannot decide whether to use self-written adm or IE maintenance.
In my case, self-written adm files are used.

BTW, it is interesting to hear that the registry-based policies are only
applicable to some part of the client machine's registry. If it is true, I
can do nothing...

Thanks again!

 

[lforbes]

Thanks for your abundant information. But could anybody
explain why the
policies can be applied successfully using W2K w/ IE5.5?? I
still think it is
the problem of IE6.

I know using IE maintenance is better. I am just a small
potato in my
company and cannot decide whether to use self-written adm or
IE maintenance.
In my case, self-written adm files are used.

BTW, it is interesting to hear that the registry-based
policies are only
applicable to some part of the client machine's registry. If
it is true, I
can do nothing...

Thanks again!

Hi,

Are they aware that the Maintenance section is there? It seems silly
to write a custom adm to do exactly what the IE Maintenance section
does even better.

Windows NT - System Policies physically affected the users registry.
Eg. Tatooed them so if you wanted them gone then you had to actually
reverse them. Custom ADM’s were used to modify registry.

Windows 2000 - System Policies affect only the Policy Section of the
Users Registry. Therefore the profile is not affected the minute the
policy is removed or the user is removed from the OU. Registry is not
physically affected.

Not sure why it works with IE 5.5. I know I had a real difficult time
getting custom ADM’s (old NT 4 non W2K GP) to work with W2k

Cheers,
Lara

 

[Guest]

Really thanks to your sincere sharing with me.

My senior colleagues use adm files with a good reason -- it seems IE
maintenance can do nothing with the settings in
"Tools" --> "Internet Options" --> "Advanced", which we have to control.

And I find something in TechNet
http://www.microsoft.com/technet/pr...er2003/technologies/management/gp/admtgp.mspx

Registry values for true policies are stored under the approved registry
keys as listed in Table 1. Users cannot change or disable these settings.

For Computer Policy Settings:
HKLM\Software\Policies (The preferred location)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

For User Policy Settings:
HKCU\Software\Policies (The preferred location)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

Preferences are set by the user or by the operating system at installation
time. <B>The registry values that store preferences are located outside the
approved Group Policy keys listed in Table 1. They are located in other areas
of the registry.</B> Users can typically change their preferences at any time.

So I think using adm files can control the settings. In my cases, we are
processing registry-based policies, i.e. preferences.