none
GPO Related question

    Question

  • Hi All,

    I have a question around GPO's

    I have setup a GPO which adds a certain list trusted sites to Internet Explorer security settings for all users in our company Domain

    However, there is a requirement to allow a certain set of Developers to be able to add Trusted sites manually. To accomplish this, I created a Security Group entailing those Users and set a Delegation to override this GPO (to automatically add Trusted sites) to that SG.

    After doing a gpupdate /target:computer /force and restarting the respective user's machines, I find that all barring one user(belonging to that SG) is unable to add Trusted sites.

    Interestingly, One of the developers accounts were created by copying this error user's account and he is able to add trusted sites, but just not this account.

    I even added this account explicitly and applied settings to override this GPO and that didn't work as well.

    I have checked in the GP Objects console and could not find another conflicting GPO that blocks this user from adding trusted websites.

    What would be the best recourse to get this user to be able to add to Trusted sites ? Your assistance will be much appreciated.

    Do you want the GPRESULT/R results from the user's machine to see which GPO's are being applied ?

    Regards

    Harry

    Friday, December 16, 2016 3:27 AM

All replies

  • I do not know if there might be a TokenBloat issue?

    Otherwise a good start would probably be to compare GP result from one that it's working for and a user that it is not working for. Also verify if different computers might cause different behavior. 

    Otherwise I guess the ADDS forum would be a good place for this question. 

    Tuesday, December 27, 2016 12:38 PM
  • Hi Harry,
    How about to exclude the Developers security group from that GPO? In this case, users of this group is out of control from GPO and could manually add all the trusted sites then.
    If that is working for you, you could have a try the following article step-by-step article to finish this:
    How to exclude individual users or computers from a Group Policy Object
    http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, December 28, 2016 3:11 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 02, 2017 6:14 AM
    Moderator
  • Hi Wendy,

    Thank you for your suggestions.

    I will try them and get back to you in a few days

    Regards

    Harry

    Friday, January 13, 2017 5:52 AM
  • Hi Harry,
    Ok, if you have any questions, please feel free to contact us.
    Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 16, 2017 3:21 AM
    Moderator