[gptalk] Re: Setting TLS/SSL for IE7 using GPP

  • From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 21 Oct 2008 11:17:43 -0500

Yes, that is because GPMC on XP does not process/understand GPP
settings, even with the CSE installed.  You have to run it from a 2008
Server or Vista SP1 RSAT system.

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of John
Sent: Monday, October 20, 2008 8:50 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP

 

Well if I use the GP Results Wizard in the Vista GPMC (which we use to
manage GPP), then yes it shows that the settings applied.



On Tue, Oct 21, 2008 at 12:46 PM, Darren Mar-Elia <darren@xxxxxxxxxx>
wrote:

John-

In general I don't like gpresult.exe. It simply is too hard to read. I
like the GP Results Wizard in GPMC. That should clearly show if the
settings have been processed by remote machine. Now, that being said, GP
Results/RSOP does not actually guarantee that the settings are in place,
but just that the GP engine *thinks* they are. Still, that is better
than nothing and confirming that the settings are actually being
processed gets you part-way there. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of John
Sent: Monday, October 20, 2008 6:25 PM


To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP

 

Sorry I should have clarified. I have the GPP CSE installed. Using say
RSOP or gpresult from the machine does not show the GPP settings that
have applied. If I do a gpresult using the Vista machine where the
updated GPMC is installed shows the GPO applied.

On Tue, Oct 21, 2008 at 12:19 PM, Alan & Margaret
<syspro@xxxxxxxxxxxxxxxx> wrote:

Hi John,

 

You need to install the CSE extensions for preferences.
http://www.microsoft.com/downloads/details.aspx?FamilyID=e60b5c8f-d7dc-4
b27-a261-247ce3f6c4f8&displaylang=en 

 

Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05
183D0} to see if it is present.

 

Alan Cuthbertson

 

 

 Policy Management Software (Now with ADMX and Preference support):-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor(Now with ADMX support):-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of John
Sent: Tuesday, 21 October 2008 12:07 PM


To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP

 


Thats a good point. We're running XPSP3 anbd using a vista machine on a
2003 domain (no 2008 DCs). How can I get an RSOP of the actual settings
applied to the XPSP3 machine?

On Tue, Oct 21, 2008 at 4:49 AM, Darren Mar-Elia <darren@xxxxxxxxxx>
wrote:

OK. So in RSOP does it explicitly show those settings as applying,
rather
than just showing the GPO as applying?


Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On
Behalf Of John Everyman

Sent: Monday, October 20, 2008 10:02 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP

Hi Darren,

Yeah I saw that article which prompted me to investigate changing the
SSL
settings via GPP as I didn't realise you could selectively ignore
certain IE
settings using F5-F8! That article actually has a screenshot of the
settings
I am trying to change. Use SSL2/3/TLS all have green circles and SSL2 is
unchecked. Still no dice.

cheers

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On
Behalf Of Darren Mar-Elia
Sent: Tuesday, 21 October 2008 3:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP

It's a timely question--check out this recent GP Product team blog
posting
and see if it doesn't help:

http://blogs.technet.com/grouppolicy/archive/2008/10/13/red-green-gp-pre
fere
nces-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-forc
e.as
<http://blogs.technet.com/grouppolicy/archive/2008/10/13/red-green-gp-pr
eferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate
-force.as> 
px

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On
Behalf Of John Everyman
Sent: Monday, October 20, 2008 9:43 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Setting TLS/SSL for IE7 using GPP

Hi all.

I am trying to disable SSL2 and enable TLS via GPP. We have IE7 deployed
so
I am using the IE7 settings. I've set all settings to ignore and used F6
to
actively select the SSL/TLS settings (green circle). I've checked SSL3
and
TLS and unchecked SSL2 but after rebooting and logging in SSL2 is still
checked. I've done an RSOP and the GPO has applied. Any ideas?

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************

 

 

 


Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system. 

Other related posts: