none
can't make changes

    Question

  • I am both a local Admin and a domain admin.  If I log onto a Windows 7 workstation that has NO GPO User Settings applied I can make any change I want to the Internet Explorer settings.  Example:

    Internet options\Security Tab\Local Intranet [custom levels]

    But as soon as I apply our User GPO all of this is grayed out.  Why?  If I'm an admin how come I can't change this?

    On the local Windows 7 worksation we have all firewalls turned off and we are not using a proxy server.


    mqh7

    Tuesday, February 16, 2016 5:38 PM

Answers

All replies

  • I don't think it wants you configuring the options in two separate places. Even if you could change the settings locally, Group Policy is re-applied several times a day so your settings would get over written.

    If you need different settings then perhaps you should consider a different GPO for that Windows 7 workstation? GPO's can be filtered to specific machines if required, it's not just OU membership which dictates it. Perhaps have a separate GPO that states when a domain admin logs in then the user GPO is not applied.

    Generally speaking there is no good reason why you should ever logon to a client with a domain admin account anyway. You can create a domain group called "Local Admins," place your user account into that and have that group added to each clients local Administrators group via a GPO to give you local administrative privilages on clients with regular user accounts.

    Tuesday, February 16, 2016 5:51 PM
  • Hi, thanks.   We need to make 1 change to our current GPO and it is in the location I specified.  Internet options\Security Tab\Local Intranet [custom levels]  each time I make this change and apply that GPO to my user the change Never gets applied and everything is grayed out.   How come?  What would cause this?

    mqh7

    Tuesday, February 16, 2016 5:54 PM
  • Hi

     But as soon as I apply our User GPO all of this is grayed out.  Why? >>>> Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.

     So if you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items,

    Check the article for sample

    https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, February 16, 2016 5:56 PM