none
Active X installation issues RRS feed

  • Question

  • I'm having significant difficulties trying to get any user on a domain joined laptop to install active x controls for our video projection system (Extron).  Here are the specs:

    -Windows 7 x32 professional joined to domain
    -Internet Explorer 9

    When I attempt to visit the site as either the local administrator or the domain administrator or the user, I receive the same error message.  I am able to visit the site and log on (the address is 192.168.0.59).  It then asks me to download the .cab file to which I click yes to.  I then receive the following error message:

    "The Extron signed ActiveX control can not be downloaded to your PC.  This could be due to one of two reasons:
    1. Your IE security settings prevent you from either downloading or executing a ActiveX control.
    2. Your user account privilege is not authorized to download and install a signed ActiveX control. 

    So here's what I've done so far:

    1. Added the site (192.168.0.59) to the trusted sites zone.  Modified the security settings of the zone to allow ActiveX content, signed and unsigned to be installed.  Basically opened the door for ActiveX content to be installed.  Didn't work - still received error message above.

    2.  Read up on TechNet about the two group policy security settings relating to ActiveX installer service.  Made the following changes to the local security policy (these settings are not defined in any domain group policy setting) under Computer Config\Admin Templates\Windows components\ActiveX installer Service
    -Approved Installation sites for ActiveX Controls: enabled.  Host URL: 192.168.0.59 with the following values: 2,2,1,0x00000100|0x00001000|0x00002000|0x00000200 (as per http://technet.microsoft.com/en-us/library/dd631688(WS.10).aspx#BKMK_SampleConfigs)

    -ActiveX Installation policy for sites in trusted zone: enabled.  The settings in the GPO are set to silently install and permit connection for all Certificate errors.

    And Computer config\Admin templates\windows components\Internet Explorer\Security zones: use only machine settings: enabled.

    So it now works when logged in as the local administrator. But it doesn't work when logged on as the domain administrator or the standard user. 

    I'm not really sure where to go from here and would greatly appreciate any assistance that can be offered.

    Regards,

    Shane



    Shane

    Tuesday, February 19, 2013 12:42 AM

All replies

  • Hi,

    view the source of the AX download page and note the CLSID and codebase values of the <object> tag.....

    codebase gives the actual domain of the author, you need to add that domain to your GPO trusted sites list. CLSID is the class ID of the ActiveX control, you can use it to find out if it is an Allowed ActiveX control on their machine (see HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility.

    IP addresses with 192. is your proxy mask.

    You can determine which security zone a web page maps to from File>Properties

    Use Tools>Manage addons>View Downloaded controls - to determine if it is successfully installed and 'enabled'..Double click on it to display its Properties page.... allow for the sites/intranet where you

    Reset IE's security settings back to your defaults (Internet Options>Security tab, click "Reset all zones to default"


    Rob^_^

    Tuesday, February 19, 2013 2:42 AM
  • Rob,

    Thanks for the timely response.  Here's what I've got

    1. Can't find the codebase value in the <object> tag when looking at the source code.
    2. The CLSID, which I got from 'Settings --> manage add ons' is not in HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility.  However, it was in HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/IPLWeb.ocx
    3. The downloaded control (IPLWebV4 Control) is from a (not verified) Extron Electronics and was disabled but I've enabled it for all websites.
    4. The webpage is currently in the Trusted Security zone.

    The results now are:
    1. Local administrator user can use webpage properly.
    2. domain administrator account cannot use webpage properly.
    3. local user account can use webpage properly.

    So it appears to be working but I'm very wary of what's going on - it doesn't seem correct that a domain user account can't get it to work.  Maybe those local security policy settings I made are not working for domain accounts??  Again, thanks for the advice, any more would be greatly appreciated.

    Regards,


    Shane

    Tuesday, February 19, 2013 4:53 AM