Yes, that is because GPMC on XP does not process/understand GPP settings, even with the CSE installed. You have to run it from a 2008 Server or Vista SP1 RSAT system. Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of John Sent: Monday, October 20, 2008 8:50 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP Well if I use the GP Results Wizard in the Vista GPMC (which we use to manage GPP), then yes it shows that the settings applied. On Tue, Oct 21, 2008 at 12:46 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: John- In general I don't like gpresult.exe. It simply is too hard to read. I like the GP Results Wizard in GPMC. That should clearly show if the settings have been processed by remote machine. Now, that being said, GP Results/RSOP does not actually guarantee that the settings are in place, but just that the GP engine *thinks* they are. Still, that is better than nothing and confirming that the settings are actually being processed gets you part-way there. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of John Sent: Monday, October 20, 2008 6:25 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP Sorry I should have clarified. I have the GPP CSE installed. Using say RSOP or gpresult from the machine does not show the GPP settings that have applied. If I do a gpresult using the Vista machine where the updated GPMC is installed shows the GPO applied. On Tue, Oct 21, 2008 at 12:19 PM, Alan & Margaret <syspro@xxxxxxxxxxxxxxxx> wrote: Hi John, You need to install the CSE extensions for preferences. http://www.microsoft.com/downloads/details.aspx?FamilyID=e60b5c8f-d7dc-4 b27-a261-247ce3f6c4f8&displaylang=en Check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05 183D0} to see if it is present. Alan Cuthbertson Policy Management Software (Now with ADMX and Preference support):- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor(Now with ADMX support):- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of John Sent: Tuesday, 21 October 2008 12:07 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP Thats a good point. We're running XPSP3 anbd using a vista machine on a 2003 domain (no 2008 DCs). How can I get an RSOP of the actual settings applied to the XPSP3 machine? On Tue, Oct 21, 2008 at 4:49 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: OK. So in RSOP does it explicitly show those settings as applying, rather than just showing the GPO as applying? Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of John Everyman Sent: Monday, October 20, 2008 10:02 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP Hi Darren, Yeah I saw that article which prompted me to investigate changing the SSL settings via GPP as I didn't realise you could selectively ignore certain IE settings using F5-F8! That article actually has a screenshot of the settings I am trying to change. Use SSL2/3/TLS all have green circles and SSL2 is unchecked. Still no dice. cheers -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Tuesday, 21 October 2008 3:49 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Setting TLS/SSL for IE7 using GPP It's a timely question--check out this recent GP Product team blog posting and see if it doesn't help: http://blogs.technet.com/grouppolicy/archive/2008/10/13/red-green-gp-pre fere nces-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-forc e.as <http://blogs.technet.com/grouppolicy/archive/2008/10/13/red-green-gp-pr eferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate -force.as> px Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of John Everyman Sent: Monday, October 20, 2008 9:43 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Setting TLS/SSL for IE7 using GPP Hi all. I am trying to disable SSL2 and enable TLS via GPP. We have IE7 deployed so I am using the IE7 settings. I've set all settings to ignore and used F6 to actively select the SSL/TLS settings (green circle). I've checked SSL3 and TLS and unchecked SSL2 but after rebooting and logging in SSL2 is still checked. I've done an RSOP and the GPO has applied. Any ideas? *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.