[gptalk] Re: Vista - Enable Protected Mode
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 20 Aug 2008 07:17:12 -0700
If the GPO was never enabled or even linked in your 2nd case, there is no
way in heck that it will be applied to any systems. You can confirm that by
running GP Results against one of those systems. In any case, I don't see
anything that you did effecting those ActiveX prompts. Also note that
setting site-to-zone assignments has no impact at all on whether IE runs in
Protected mode.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tim Bolton
Sent: Wednesday, August 20, 2008 5:39 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Vista - Enable Protected Mode
I was setting the sit-to-zone assignments (all default settings). The GPO
was Linked but NOT enabled. There was an issue while documenting that were
the payroll person could not access an important site. Of course all eyes
looked my way... This turned out to be a Server Side 500 error. Nothing I
was doing - or the new ISA server - had anything to do with it. However the
GPO was deleted to make sure and several gpupdate /force commands were run.
So now I recreated the GPO with the same settings. This time it is neither
Linked or Enabled. I am now getting a call from one of the directors that
his Vista PC is prompting him to load ActiveX controls for almost everyone
of their frequented sites. If they place the site into their Trusted Sites
the are no longer prompted. This is an option that is not acceptable and
once again all eyes are looking my way.
1) Would setting the sit-to-zone assignments (all default settings) cause
the Vista PCs to start prompting? I thought that Protected Mode was on by
Default..?
2) To verify that I made any changes or to turn off Protected Mode I would
have to make changes to the UAC settings in GP. Is this not the case..?
3) Would anything that I have done caused this issue? I don't see how, but
I have minimal testing with Vista only. I do not even own a copy. Most of
my time has been spent trouble shooting and documenting what I have found
for an upcoming migration to new equipment, so changes have been absolutely
minimal.
Feel free to shoot me an email off line if you want further info jsclmedave
at Gmail DOT com
On Tue, Aug 19, 2008 at 7:21 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
I'm a bit confused, Tim, by what your issue is. Is it that you set some
site-to-zone assignments on IE, then removed the underlying GPO, and they
are still being delivered? I guess I'm missing the connection between UAC
and what you're seeing.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Salandra, Justin
Sent: Tuesday, August 19, 2008 5:12 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Vista - Enable Protected Mode
Try installing the RSAT tools on Vista SP1
Justin A. Salandra
Network Engineer
jsalandra@xxxxxxxxxxx
------------------------------------------
MCSE(rgb) MCTS(rgb)_528_534
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tim Bolton
Sent: Tuesday, August 19, 2008 5:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Vista - Enable Protected Mode
I am going to try to RDP into a vista box in the morning then load the
client side GP there. I was also going to run
GPRESULT /H %TEMP%\UserRSOP.htm /scope user
and
GPRESULT /H C:\ComputerRSOP.htm /scope computer
Especially sine RSOP does not work correctly on Vista SP1.
Not sure what else to do...
On Tue, Aug 19, 2008 at 4:18 PM, Salandra, Justin <jsalandra@xxxxxxxxxxx>
wrote:
You will not see the UAC settings from a 2003 Server running GPMC, can you
run it for a Vista machine?
Justin A. Salandra
Network Engineer
jsalandra@xxxxxxxxxxx
------------------------------------------
Error! Filename not specified. Error! Filename not specified.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tim Bolton
Sent: Tuesday, August 19, 2008 4:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Vista - Enable Protected Mode
I am working with a new site and was setting the Internet Security Zones for
IE6 and IE7.
The GP was Linked but not enforced. I was setting them to the Default Zone
Settings when an issue arose with access to a site for a user completing
payroll.
This turned out to be a Server Side error. However, for a just in case
measure, the new GP was un-linked and then deleted. I ran gpupdate /force
to clean up any issues.
We installed an ISA server about a month ago. Since then no changes have
been made to it.
Now I am told that the Vista PCs are getting prompted to add ActiveX
controls. When the user RT clicks they only get info not the ability to
add. The users are able to add the site to the Trusted List and that takes
care of the prompt.
However, the users do not want to have to perform this task for every site
they go to and they are indicating that this started a couple of weeks ago,
even though they have had these Vista PCs for over a year.
I am checking ISA one more time.
I have run the modeling test with that user and all indications are that the
Default Domain policy is winning out.
However, since I am RDPing into a 2003 Server, I cannot even see the Vista
UAC settings or anything else that would affect Vista.
Would the settings to IE6 and IE7 apply to the Vista instance even though it
was not enforced?
The ONLY thing I done this last week and this week is document AND gpupdate
/force. I am wondering if I woke up the Vista PCs..?
Any advice will be greatly appreciated...
--
Tim Bolton
"IMPORTANT NOTICE: The information in this email
(and any attachments hereto) is confidential and may be
protected by legal privileges and work product immunities.
If you are not the intended recipient, you must not use or
disseminate the information. Receipt by anyone other than the
intended recipient is not a waiver of any attorney-client or work
product privilege. If you have received this email in error, please
immediately notify me by "Reply" command and permanently
delete the original and any copies or printouts thereof. Although
this email and any attachments are believed to be free of any virus
or other defect that might affect any computer system into which it
is received and opened, it is the responsibility of the recipient to
insure that it is virus free and no responsibility is accepted by
Transatlantic Reinsurance Company or its subsidiaries or affiliates
either jointly or severally, for any loss or damage arising in any way
from its use."
--
Tim Bolton
"IMPORTANT NOTICE: The information in this email
(and any attachments hereto) is confidential and may be
protected by legal privileges and work product immunities.
If you are not the intended recipient, you must not use or
disseminate the information. Receipt by anyone other than the
intended recipient is not a waiver of any attorney-client or work
product privilege. If you have received this email in error, please
immediately notify me by "Reply" command and permanently
delete the original and any copies or printouts thereof. Although
this email and any attachments are believed to be free of any virus
or other defect that might affect any computer system into which it
is received and opened, it is the responsibility of the recipient to
insure that it is virus free and no responsibility is accepted by
Transatlantic Reinsurance Company or its subsidiaries or affiliates
either jointly or severally, for any loss or damage arising in any way
from its use."
--
Tim Bolton
Other related posts:
