none
GPO TO STOP IE PER USER

    Question

  • Windows Server 2003 AD with an existing Server 2008 R2 terminal server and a new Server 2008 R2 terminal server.

    An existing GPO was in place in the AD server to prohibit IE per-user that worked fine on the existing Server 2008 R2 terminal server. However since adding an additional server 2008 to be an additional terminal server for the AD domain the GPO will not work.

    The additional server is a fresh load and fully updated and joined to the domain. I have researched various methods to make this work but have not had any success. I think I am doing something wrong fundamentaly with the GPO to make it work with the additional server. I already know how to make the GPO and I know how to set the IE settings for a fake proxy server and how to gray out changing those settings.

    I think where I'm going wrong is I'm not putting the GPO in place properly or linking it properly in order to make it work.

    Thursday, January 08, 2015 9:29 PM

All replies

  • I have a GPO with setting to use a fake proxy and settings to gray out the proxy settings for some users on a terminal server that worked fine. Having added an additional terminal server to replace the original, I cannot get the same GPO to work. Somehow I am not getting the GPO applied correctly or linked so that it is effecting the newly added terminal server. Can I get some clarification on this procedure?

    Windows Server 2003 AD server.  Original TS is server 2008 R2.  Replacement TS is also server 2008 R2. The replacement is already up and running and properly joined to the same domain as the original TS.

    Thursday, January 08, 2015 9:42 PM
  • In the "scope" settings for the group policy does it specify an AD group for the machines? Or was it scoped just to the old server originally? Or still the default of Authenticated users?

    A thing you can do on the RDS server is type rsop.msc in the search or run box. In the new window that opens it should look like the GPO object editor. Verify if you see your policy being applied. If it's not and your scope is set properly, you can look in the group policy logs on the RDS server and see if it had an error applying. Event Viewer > Application and Services Logs > Microsoft > Windows > Group Policy.


    Thursday, January 08, 2015 10:05 PM
  • Is that reported in RSOP ? 

    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, January 08, 2015 10:35 PM
  • I think where I'm going wrong is I'm not putting the GPO in place properly or linking it properly in order to make it work.

    Is the new WS2008R2 server object, in the same AD OU as the older WS2008R2 ? (so that it gets the same GP settings, presumably loopback)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, January 08, 2015 11:09 PM
  • Ok I have started over on this and put everything back the way it was originally. Now I created a new OU "No IE" and built the NO IE GPO in that OU. And I have moved the users from the AD Users folder into the NO IE OU. So now what is the proper method to link that to the new RDP server, currently still in the Computers folder.
    Friday, January 09, 2015 2:53 PM
  • The Scope settings show the AD group (the entire domain name). I still can't make it work and I have tried looking at the logs but really don't see anything referencing the new GPO.
    Saturday, January 10, 2015 3:46 PM
  • duplicate of: https://social.technet.microsoft.com/Forums/windowsserver/en-US/94f11d6d-8fc6-42b8-a84b-4ab963c66723/gpo-to-stop-ie-per-user?forum=winserverGP#29071c45-186c-4b36-aae9-d6821d3297b1

    Is the new WS2008R2 server object, in the same AD OU as the older WS2008R2 ? (so that it gets the same GP settings, presumably loopback)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, January 10, 2015 9:43 PM
  • Hi,

    >>So now what is the proper method to link that to the new RDP server, currently still in the Computers folder.

    Before going further, I want to confirm how we configured the IE settings, via Internet Explorer Maintenance(IEM)? For IEM is user part of settings in a GPO, as a result, it's not related to where computer accounts locate if Loopback processing is not enabled. By default, in a GPO, the settings under User Configuration apply to users regardless of which computers the users log onto.

    To troubleshoot the issue, for a troubled user, we can run command gpresult/h gpreport.html to collect group policy result report to check how group policy settings are applied after the user logs onto the new terminal server. If necessary, you may upload the report to OneDrive and provide us the download link.

    >>I think where I'm going wrong is I'm not putting the GPO in place properly or linking it properly in order to make it work.

    A GPO can be linked to Site, Domain, and OU. Regarding the processing orders of GPOs, the following article can be referred to for more information.

    Order of processing settings

    http://technet.microsoft.com/en-us/library/cc778890(v=ws.10).aspx

    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best regards,

    Frank Shen

    Monday, January 12, 2015 7:23 AM
    Moderator
  • Look at the security filtering? What is set in this area.

    Monday, January 12, 2015 3:21 PM
  • I have learned from another forum that what I am trying to do is not possible. According to info I was provided my new RDP server is not going to work with the GPO because this is not supported in IE 10 or above. Since my new loaded RDP server is running IE 11 and all other current windows updates I can't limit user connectivity with GPO's.
    Monday, January 12, 2015 4:41 PM
  • Are you trying to block internet access per user? Hence the fake proxy settings? Instead of doing it through IE maintenance have you done it via the internet settings in GPO? You can still target this GPO per user.

    This is how you do it in IE9 and later. Make sure your using a GPO client that is Windows 7/2008 R2 based to get this functionality. Also make sure you have IE 10 or later installed on that same machine. Make sure you are setting the red an green objects accordingly. See here if you need info.

    Monday, January 12, 2015 5:11 PM