[gptalk] Re: Internet Explorer Processing Issues - automatic configuration script

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 3 Apr 2007 06:49:41 -0700

Craig-

This policy does not apply to users in any situation. You never apply it to
user OUs. You only apply it to computers. Maybe I'm not understanding your
scenario but this policy controls per-computer CSE behavior. The fact that
IE maintenance policy itself is associated with user accounts is irrelevant.
You have to apply this policy to any computer where a user who gets IE
Maintenance policy, may logon. So, for example, if you have a Marketing OU
that has a User and Computer sub-OU, you would only apply this policy to the
Computer sub-OU. Then, when users from the User sub-OU logon to computers in
the Computer sub-OU, and process IE Maintenance, it will process according
to the Computer-specific policy.

 

Hope that helps. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Tuesday, April 03, 2007 5:32 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

 

So Darren unless I actually add this policy to the OU with all my computers
in it, the setting will never take affect [Process even if the Group Policy
objects have not changed] regardless of any loopback changing etc etc. The
only way to add this to my User OU is to registry modify the dword value of
the registy setting "NoGPOListChanges"=dword:00000001 to "0" in that
alternate path in the registry which is actually the path for the GP
extensions?.

 

Craig

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, April 02, 2007 5:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

Craig-

Right. Just because IE Maintenance Policy is a per-user policy, does not
mean that the "process even if the gpos have not changed" for IE maintenance
is as well. Whenever you see a policy item under Computer Configuration, it
always applies to computers, regardless of what its effecting. It is
confusing.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Monday, April 02, 2007 10:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

 

Darren thanks again, little confusing with the "supposed to work" and
"workarounds". I did a quick test in my lab. The registry key you stated
below was also not there [HKLM\Software\Policies\Microsoft\Windows\Group
Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]. Understood the workarounds
is to mess with the GP extensions area but I wanted to start fresh an look
at a machine not touched with this GPO. 

 

The key was not there, I then added the IE policy to the OU where the
machine was [not the user account] and did a gpupdate /refresh and the key
appeared.

 

So, that gpo setting under Computer Configuration for IE Process even if the
Group Policy objects have not changed, does this tell me that this user
based GPO needs to be set on a PC OU instead of an OU where User accounts
are held?

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, April 02, 2007 10:39 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

In general, I have seen problem with IE Maintenance refreshing properly when
the "don't process unless GPOs have changed" default is set-hence the reason
to use this policy below. With respect to the correct registry keys below,
the bottom line is, whatever key the ADM file is pointing to is the one that
should be set. If its not being set, then something is wrong with GP
processing for that computer. The fact that you can also set this option
within the GPExtensions key is useful but it should not replace the key in
the ADM file. One typically trumps the other. However, if you can't get the
Policies key to be set, then setting this through a custom ADM in the
GPExtensions key is probably the next best thing to do.

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Monday, April 02, 2007 7:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

 

Hello Darren:

 

The article I posted is for January 2007
[http://support.microsoft.com/kb/306915].  The article I found you may be
referencing is March 2003
{http://technet2.microsoft.com/WindowsServer/en/library/6d6a13b1-b170-4fd2-a
022-a2b1af52beae1033.mspx?mfr=true]. 

 

Not sure but looks like a Microsoft issue. Have you encountered this at all
where the automatic configuration script dtring does not refresh unless the
registry key has been changed to "0"?  The registry path you stated I do not
have anywhere in my registry on any machine, I also verified that the
default securty settings are set, so everyone, computers and users should be
getting this setting if your registry path is correct [Authenticated Users
is set to read and apply].

 

Any additional thoughts?

 

Thanks,

 

Craig

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, April 02, 2007 9:11 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

No, you don't need loopback. That setting is per-computer because its
controlling per-computer CSE behavior. There's really no relationship
between that and IE Maintenance policy. You just need to make sure that if
you are setting IE Maintenance processing behavior, you are setting it on a
GPO that is linked to apply to any computers that users who get IE
maintenance policy will logon to. 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Monday, April 02, 2007 5:43 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

 

Darren thanks again for the reply.

 

Maybe you can help me understand something, not sure if I am making a
mistake with my GPO or not. This setting for IE is a user based policy, as
such the GPO is linked to the Users OU. If I set the setting Computer
Configuration\Admin Templates\System\Group Policy\IE Maintenance Policy
Processing which is in the Computer section of the GPO do I need to set
loopback also [Which I did and set to merge]. 

 

Also, the registry key you stated below does not exist on my machine.

 

Thanks,

Craig

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Friday, March 30, 2007 6:08 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

That KB seems a little odd, considering that this is already supported in
Computer Configuration\Admin Templates\System\Group Policy\IE Maintenance
Policy Processing. If you use that policy, the value is set under
HKLM\Software\Policies\Microsoft\Windows\Group
Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} and that value is supposed to
override the value listed in your KB article. 

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Friday, March 30, 2007 12:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

 

This is the article and method to which Microsoft is pointing at to use, not
the registry path is the same as the one I wrote below.

 

http://support.microsoft.com/kb/306915

 

I'd rather an ADM fix than change keys in everyone's registry. any other
ideas?

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Friday, March 30, 2007 10:07 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

Craig-

When you set the "Process even if the Group Policy objects have not changed"
policy, its not setting it under the GPExtensions key. It is setting it
under a Policies key (don't have it off hand but you can look in the ADM for
the location). That's probably why you are not seeing it. The CSE will look
in the Policies key preferentially for that setting. Now I'm not sure why
setting the policy does not force the behavior.  In your example, "Not
Configured" doesn't effect a policy that is configured, even if there are 20
of them. So it should work unless that policy is being filtered out by
something.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Friday, March 30, 2007 5:55 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

 

Darren thanks. I did do some testing and with that option checked (Process
even if the Group Policy objects have not changed) that registry key does
NOT change to "0" like it would need to in order for the GPO to process
regardless if the GPO changed or not. 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3
B}]

 

"NoGPOListChanges"=dword:00000001

 

If I manually change this key to "0", then the GPO DOES process regardless,
if I do not manually change it withing the registry, the GPO does NOT do it?
What am I missing if anything here. I have seen numerous web sites on this
issue and without a resolution except for manually or programatically
changes that value to 0. Not sure why my GPO does not do it.

 

If have 20 something GPO, all except for this one are "Not Configured". Does
that mean if this one is configured and the others are not the others will
override this one?

 

Thanks,

 

Craig

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, March 29, 2007 3:19 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Internet Explorer Processing Issues - automatic
configuration script 

Craig-

If you have a GPO that is turning off NoGPOListChanges (by setting it to 1)
then you should see that in GPResults. You can also try downloading and
running my GPExpert Health Reporter product
(www.sdmsoftware.com/products.php) against that system, which will tell you
if that option is set on a given machine for a CSE ( among other things).

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Buonora, Craig (GE, Research, consultant)
Sent: Thursday, March 29, 2007 6:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Internet Explorer Processing Issues - automatic
configuration script 

 

I have an issue where my automatic configuration script does not reset after
the given period of time within the GPO. 

 

Background:

 

The GPO is not in Preference mode as I understand if it was the policy or
the settings would never reset. In the policy also under the Computer
Configuration portion of this GPO I have the options set to Process even if
the Group Policy objects have not changed ; still the settings do not revert
back if a users changes them, unless the users reboots their machine or does
a manual GPO refresh. I have ~ 20 other GPO, this one is not processed first
[I do not believe]. Also, I looked at the NoGPOListChanges within the
registry on a few machines within the same OU that they GPO is applied. The
key is set to "1' which I understand to mean this option is turned off. 

 

So my question if this key needs to be turned on (set to "0") and I did this
within one (this particular GPO for IE) are my other GPO turning this option
off  which in turn making this option not work? How can I ensure this option
is turned on and stays on? Also, am I correct in saying this option needs to
be turned on? Am I missing something else within my GPO that would not make
this GPO force the change to the automatic configuration script?

 

Thanks in advance for the help.

 

 

 



 

 

 

 

 

Craig

 

JPEG image

Other related posts: