locked
Site to Zone Assignment List GPO too large RRS feed

  • Question

  • Hi,

    Our Site to Zone Assignment List in the AD (W2003R2) user's GPO has grown to large and doesn't work anymore.

    (User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List).

    Is there something that can be done about it?

    Maybe with a registry setting on the Windows 7 workstations or DC's (like the Kerberos maximum token size)?

    Or any other suggestions what to do?

    Thanks

    Thursday, July 12, 2012 6:29 AM

Answers

  • Hi,

    According to our search, error with ID status 0x57 means we have invalid parameter in zone Assignment list.

    Since you have 108 entries, you may try 50/50 approach to quickly narrow down which entry is causing the issue.

    Also as you mentioned it should have size limitation for IE zone assignment list, although I don’t find the limitation size from MS website now. If you can deploy the first 54 entries and the second 54 entries in 50/50 approach, your 108 entries list may over the size limitation.

    Maybe you can use wildcard character to replace some entries.

    How to Use Wild Cards When You Add Web Sites to Security Zones
    http://support.microsoft.com/kb/184456

    For more information please refer to following MS articles:

    A test case for troubleshooting group policy application – Event ID 1085 and 7016
    http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx



    Lawrence

    TechNet Community Support

    • Marked as answer by Lawrence,Lu Tuesday, July 24, 2012 7:48 AM
    Tuesday, July 17, 2012 9:09 AM
  • In the gpsvc.log every URL entry shows up as being ok [OK].

    But when I compare the html export of the grouppolicy with the gpresult there's a difference.

    When we reduce it with like 10 entries it's working normally as it should.

    • Marked as answer by Lawrence,Lu Tuesday, July 24, 2012 7:48 AM
    Thursday, July 19, 2012 6:03 AM
  •  
    > When we reduce it with like 10 entries it's working normally as it
    > should.
     
    Ok, that's perfectly done ;-)
     
    doesn't state anything about a limit on the number of sites.
    Maybe this older thread is helpful:
    But as I'm thinking about it, then maybe it is not... If possible, open
    a call with PSS on that issue.
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Lawrence,Lu Tuesday, July 24, 2012 7:49 AM
    Thursday, July 19, 2012 1:33 PM

All replies

  • Hi,

    Our Site to Zone Assignment List in the AD (W2003R2) user's GPO has grown to large and doesn't work anymore.

    How did you known that GPO size has been increased? You used any tools for that ?

    Moreover check event viewer and try to find out any error/warning event ID recorded for this issue? If so post it here.


    Regards, Ravikumar P

    Thursday, July 12, 2012 11:32 AM
  • Hi,

    You may also configure site for each zone through this group policy:

    User Configuration > Policies > Windows Settings > Internet Explorer Maintenance >Security >Security Zones and Content Rating > Security Zones and Privacy

    Also you can configure such settings using Group Policy Preference feature.

    You should install a Windows 2008 or 2008 R2 server or install Remote Server Administrative Tool on a Windows 7 computer to configure Group Policy Preference feature.

    Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en&displaylang=en

    You can configure it at: User Configuration > Preferences >Control Panel Settings> Internet Explorer

    For more information please refer to following MS articles:

    Group Policy Preference Internet Settings Extension
    http://technet.microsoft.com/en-us/library/cc754649
    Group Policy Preferences Getting Started Guide
    http://technet.microsoft.com/en-us/library/cc731892(v=WS.10).aspx

    Lawrence

    TechNet Community Support

    Friday, July 13, 2012 8:25 AM
  • ok, I switched on debugging:

    http://support.microsoft.com/kb/221833

    I see this error in the gposvc.log:

    ProcessGPOs: Extension Internet Explorer Zonemapping ProcessGroupPolicy failed, status 0x57.

    Friday, July 13, 2012 8:47 AM
  •  
    > ProcessGPOs: Extension Internet Explorer Zonemapping
    > ProcessGroupPolicy failed, status 0x57.
     
    # for hex 0x57 / decimal 87 :
      ERROR_INVALID_PARAMETER                                       winerror.h
    # The parameter is incorrect.
     
    Sure the list is too long? Or does it contain invalid entries?
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, July 13, 2012 2:01 PM
  • No, it's too long.

    There are no invalid entries.

    It contains 108 entries at the moment.

    Monday, July 16, 2012 7:31 AM
  • Hi,

    According to our search, error with ID status 0x57 means we have invalid parameter in zone Assignment list.

    Since you have 108 entries, you may try 50/50 approach to quickly narrow down which entry is causing the issue.

    Also as you mentioned it should have size limitation for IE zone assignment list, although I don’t find the limitation size from MS website now. If you can deploy the first 54 entries and the second 54 entries in 50/50 approach, your 108 entries list may over the size limitation.

    Maybe you can use wildcard character to replace some entries.

    How to Use Wild Cards When You Add Web Sites to Security Zones
    http://support.microsoft.com/kb/184456

    For more information please refer to following MS articles:

    A test case for troubleshooting group policy application – Event ID 1085 and 7016
    http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx



    Lawrence

    TechNet Community Support

    • Marked as answer by Lawrence,Lu Tuesday, July 24, 2012 7:48 AM
    Tuesday, July 17, 2012 9:09 AM
  •  
    > No, it's too long.
    >
     
    > There are no invalid entries.
    >
     
    How do you proof that? Reduce it by 2 and it works?
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, July 17, 2012 8:33 PM
  • In the gpsvc.log every URL entry shows up as being ok [OK].

    But when I compare the html export of the grouppolicy with the gpresult there's a difference.

    When we reduce it with like 10 entries it's working normally as it should.

    • Marked as answer by Lawrence,Lu Tuesday, July 24, 2012 7:48 AM
    Thursday, July 19, 2012 6:03 AM
  •  
    > When we reduce it with like 10 entries it's working normally as it
    > should.
     
    Ok, that's perfectly done ;-)
     
    doesn't state anything about a limit on the number of sites.
    Maybe this older thread is helpful:
    But as I'm thinking about it, then maybe it is not... If possible, open
    a call with PSS on that issue.
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Lawrence,Lu Tuesday, July 24, 2012 7:49 AM
    Thursday, July 19, 2012 1:33 PM