Securing with Group Policy

D

Darren Hackler

I have my GP set to disable downloads from IE for the
general internet users. It works great. I have another
that allows members of a certain group download rights. It
doesn't work. When I view the policy, everything appears
to be OK. I have had to open the Security tab for those
users and let them set download rights themselves.
Obviously not the best way of doing it. I set the
downloads under Windows Settings/IE Maint/Security
Zones/Internet: Custom. Is this the wrong place to set it?
 
S

Steven L Umbach

First thing is to make sure that the user is under the scope on influence of
the Group Policy. In other words if you create an OU with a GPO with user
configuration, the user accounts must reside in that OU or possibly a child
OU. Use the support tool gpresult to see what Group Policies for user
configuration are being applied to a user and the last time the policy was
applied. You can use the /v switch for more detailed info. If you have an XP
computer in the domain you can install the Group Policy management Console
on it which makes checking Group Policy configuration much easier and the
Resultant Set of Policy is a godsend. You would have to logon to the XP
computer as a domain admin [or use domain admin credentials ] so be sure to
do that only on a known secure workstation [keyboard loggers, etc]. If
domain is misconfigured for dns you will also have Group Policy problems and
the netdiag support tool can help track that down. The links below may
help. --- Steve

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC free
download.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 --- Must
use procedures for AD dns.
 
R

Roger Abell

In addition, I note they you indicate that your GPO is using
the IE adm template setting in the Computer branch of the
policies tree. AIUI this will set the base level for all of the
identities using IE, while the equivalent policy in the IE adm
template of the Users branch set for the impacted user only.

Now, what was not clear is how you are filtering this GPO
so that it allows that select set of account to have a different
setting for the policy (or, to hopefully have it).
If this is being done by linking the GPO onto the OU the
contains those accounts, then notice that the computer branch
of policies is not being used (the computers may be in a
different OU). So, try setting it in the users branch instead.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IE Settings for downloads 3
domain security policy 6
A Few Group Policy Questions 2
Domain Security Policy 2
A Few Group Policy Questions 1
Security Group Settings/Usage 5
Removing Sharing & Security tabs from the Group Policy 3
Group Policy vs Domain Controller Security Policy 2

Top