[gptalk] Re: Vista - Enable Protected Mode

  • From: "Salandra, Justin" <jsalandra@xxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 20 Aug 2008 09:15:15 -0400

RSAT will work on Vista SP1 or 2008, but you can use for to manage 2003

 

Justin A. Salandra

Network Engineer

jsalandra@xxxxxxxxxxx

 ------------------------------------------

 

 

            

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tim Bolton
Sent: Wednesday, August 20, 2008 8:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Vista - Enable Protected Mode

 

I just noticed that this references Server 2008 only.

 

They currently do not have a 2008 Server.  2003 R2 SP2 is the newest DC.
Will RSAT work with Server 2003 or do I need to keep the 2003 Admin Pack
Loaded..?

 

 



 

On Wed, Aug 20, 2008 at 7:38 AM, Tim Bolton <jsclmedave@xxxxxxxxx>
wrote:

I was setting the sit-to-zone assignments (all default settings).  The
GPO was Linked but NOT enabled.  There was an issue while documenting
that were the payroll person could not access an important site.  Of
course all eyes looked my way...  This turned out to be a Server Side
500 error.  Nothing I was doing - or the new ISA server - had anything
to do with it.  However the GPO was deleted to make sure and several
gpupdate /force commands were run.

 

So now I recreated the GPO with the same settings.  This time it is
neither Linked or Enabled.  I am now getting a call from one of the
directors that his Vista PC is prompting him to load ActiveX controls
for almost everyone of their frequented sites.  If they place the site
into their Trusted Sites the are no longer prompted.  This is an option
that is not acceptable and once again all eyes are looking my way.

 

1) Would setting the sit-to-zone assignments (all default settings)
cause the Vista PCs to start prompting?  I thought that Protected Mode
was on by Default..?

 

2) To verify that I made any changes or to turn off Protected Mode I
would have to make changes to the UAC settings in GP.  Is this not the
case..?

 

3) Would anything that I have done caused this issue?  I don't see how,
but I have minimal testing with Vista only.  I do not even own a copy.
Most of my time has been spent trouble shooting and documenting what I
have found for an upcoming migration to new equipment, so changes have
been absolutely minimal.

 

Feel free to shoot me an email off line if you want further info
jsclmedave at Gmail DOT com

On Tue, Aug 19, 2008 at 7:21 PM, Darren Mar-Elia <darren@xxxxxxxxxx>
wrote:

I'm a bit confused, Tim, by what your issue is. Is it that you set some
site-to-zone assignments on IE, then removed the underlying GPO, and
they are still being delivered? I guess I'm missing the connection
between UAC and what you're seeing...


Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Salandra, Justin
Sent: Tuesday, August 19, 2008 5:12 PM 


To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Vista - Enable Protected Mode

 

Try installing the RSAT tools on Vista SP1

 

Justin A. Salandra

Network Engineer

jsalandra@xxxxxxxxxxx

 ------------------------------------------

 

 

          

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tim Bolton
Sent: Tuesday, August 19, 2008 5:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Vista - Enable Protected Mode

 

I am going to try to RDP into a vista box in the morning then load the
client side GP there.  I was also going to run
 
GPRESULT /H %TEMP%\UserRSOP.htm /scope user 
and
GPRESULT /H C:\ComputerRSOP.htm /scope computer

Especially sine RSOP does not work correctly on Vista SP1.

 

Not sure what else to do...

 

 

 

On Tue, Aug 19, 2008 at 4:18 PM, Salandra, Justin <
jsalandra@xxxxxxxxxxx> wrote:

You  will not see the UAC settings from a 2003 Server running GPMC, can
you run it for a Vista machine?

 

Justin A. Salandra

Network Engineer

jsalandra@xxxxxxxxxxx

 ------------------------------------------

 

 

Error! Filename not specified.          Error! Filename not specified.

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tim Bolton
Sent: Tuesday, August 19, 2008 4:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Vista - Enable Protected Mode

 

I am working with a new site and was setting the Internet Security Zones
for IE6 and IE7.

 

The GP was Linked but not enforced.  I was setting them to the Default
Zone Settings when an issue arose with access to a site for a user
completing payroll.

 

This turned out to be a Server Side error.  However, for a just in case
measure, the new GP was un-linked and then deleted.  I ran gpupdate
/force to clean up any issues.

 

We installed an ISA server about a month ago.  Since then no changes
have been made to it.

 

 

Now I am told that the Vista PCs are getting prompted to add ActiveX
controls.  When the user RT clicks they only get info not the ability to
add.  The users are able to add the site to the Trusted List and that
takes care of the prompt.  

 

However, the users do not want to have to perform this task for every
site they go to and they are indicating that this started a couple of
weeks ago, even though they have had these Vista PCs for over a year.

 

I am checking ISA one more time.

 

I have run the modeling test with that user and all indications are that
the Default Domain policy is winning out.

 

However, since I am RDPing into a 2003 Server, I cannot even see the
Vista UAC settings or anything else that would affect Vista.

 

Would the settings to IE6 and IE7 apply to the Vista instance even
though it was not enforced?

 

The ONLY thing I done this last week and this week is document AND
gpupdate /force.  I am wondering if I woke up the Vista PCs..?

 

 

Any advice will be greatly appreciated...

 



-- 
Tim Bolton

"IMPORTANT NOTICE: The information in this email 
(and any attachments hereto) is confidential and may be 
protected by legal privileges and work product immunities. 
If you are not the intended recipient, you must not use or 
disseminate the information. Receipt by anyone other than the 
intended recipient is not a waiver of any attorney-client or work 
 
product privilege. If you have received this email in error, please 
immediately notify me by "Reply" command and permanently 
delete the original and any copies or printouts thereof. Although 
this email and any attachments are believed to be free of any virus 
or other defect that might affect any computer system into which it
is received and opened, it is the responsibility of the recipient to 
insure that it is virus free and no responsibility is accepted by 
Transatlantic Reinsurance Company or its subsidiaries or affiliates 
either jointly or severally, for any loss or damage arising in any way 
from its use."
 
 
 




-- 
Tim Bolton

"IMPORTANT NOTICE: The information in this email 
(and any attachments hereto) is confidential and may be 
protected by legal privileges and work product immunities. 
If you are not the intended recipient, you must not use or 
disseminate the information. Receipt by anyone other than the 
intended recipient is not a waiver of any attorney-client or work 
 
product privilege. If you have received this email in error, please 
immediately notify me by "Reply" command and permanently 
delete the original and any copies or printouts thereof. Although 
this email and any attachments are believed to be free of any virus 
or other defect that might affect any computer system into which it
is received and opened, it is the responsibility of the recipient to 
insure that it is virus free and no responsibility is accepted by 
Transatlantic Reinsurance Company or its subsidiaries or affiliates 
either jointly or severally, for any loss or damage arising in any way 
from its use."
 
 
 





-- 
Tim Bolton




-- 
Tim Bolton


"IMPORTANT NOTICE: The information in this email 
(and any attachments hereto) is confidential and may be 
protected by legal privileges and work product immunities. 
If you are not the intended recipient, you must not use or 
disseminate the information. Receipt by anyone other than the 
intended recipient is not a waiver of any attorney-client or work 
product privilege. If you have received this email in error, please 
immediately notify me by "Reply" command and permanently 
delete the original and any copies or printouts thereof. Although 
this email and any attachments are believed to be free of any virus 
or other defect that might affect any computer system into which it
is received and opened, it is the responsibility of the recipient to 
insure that it is virus free and no responsibility is accepted by 
Transatlantic Reinsurance Company or its subsidiaries or affiliates 
either jointly or severally, for any loss or damage arising in any way 
from its use."

JPEG image

JPEG image

Other related posts:

  1. Home
  2. gptalk
  3. Archive
  4. 08-2008