Group Policy for IE security option

Similar Messages

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• Group Policy for Windows Ten

  http://community.spiceworks.com/topic/1104098-windows-10-gpos

  Does anyone know if you need to have Server 2012 domain controller in order to setup group policy for windows ten?  Currently we are running Server 2008 R2 but I am starting to get devices with windows ten that I will need to control from group policy.  
  @CreativeTechie
  This topic first appeared in the Spiceworks Community

• Group Policy for Outlook Option: "Mark Messages as expired after this many days"

  In Outlook, there is a option where you can have Outlook "Mark Messages as expired after this many days".  If you enable this option, you fill in a number of days when Outlook will mark the message as expired.  The default is 180 days.
  The option is located under FILE -> Options -> Mail -> Send Messages.
  Does anyone know how to enable this setting via Group Policy? I can't find it.
  Thanks!

  Hi,
  Do you have the
  Office 2010 Administrative Templates loaded? If so, we can find the GPO setting under:
  Administrative Templates > Microsoft Outlook 2010 > Outlook Options > Preferences > E-mail Options > Advanced E-mail Options
  Double click "When sending a message" setting, select Enable bullet. Now, you can specify the "Messages expire after (days):" option.
  Regards,
  Steve Fan
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• Auto reboot / Manual reboot : easy way to apply group policy for each group without multiple AD links? Help appreciated

  Good morning,
  I have two policies for WSUS, one that auto-reboots the client and one that allows for manual reboots.  I'm sure this is very obvious, but i'm wanting to make sure I do this correctly.
  What's the easiest way to apply the policy for manual/auto reboots without having to go through my entire active directory tree and link it to each OU containing mixed computers?  
  I hope this makes sense, but I know i can set security groups and then set it for the scope, but if I go that route is there a way to apply it to all Domain Computers, EXCEPT those who are a member of security group "MPS - WSUS Manual" for example?
  Any input here is greatly appreciated
  Thank you

  If all the machines that you want to have the manual option are in a few select OUs then you could apply the auto reboot GPO to the root of the domain, and then link the manual GPO just to those GPOs containing the relevant machines. As explained here
  http://technet.microsoft.com/en-gb/library/cc785665(v=ws.10).aspx a policy applied to an OU overrides a policy applied to the domain as a whole.
  While I'm not sure, from your description I'm guessing that's the case, and they're actually mixed in throughout the domain? In which case, the other option might be to make use of group policies order or precedence. As described here
  http://blogs.msdn.com/b/muaddib/archive/2012/08/22/determine-gpo-precedence-with-gpmc-gpresult.aspx you'll see that the order that the GPOs are listed makes a difference to the order that they are applied, and the last to be applied takes precedence over
  those that come before. Therefore using that, if you applied the reboot policy to everyone, and then applied the manual one with a security filter so it only applied to your "MPS - WSUS Manual" group such that it had a higher precedence, all machines would
  receive the first GPO, but those machines in that group would have that overridden by the second policy.

• Group Policy for IE 9, 10, 11

  We have a mix of IE 9, 10, 11. When we deployed IE 10, 11 we updated ADM;s to coonfigure IE 10, 11 group policy.
  Now we have separate policies for IE 9, and IE10,11 as some settings change. However I have few questions:-
  1. If i want to change IE9 GPO settings, how can i do? As on all the machines when i open GPMC, it shows IE10, 11 settings and not IE maintenance thing.
  2. What is the significance of Require server verifications for all sites in this zone in the IE trusted sites? Also, it is checked by default and how can we change it using group policy?
  Please share your expert views on either or both questions. Appreciate any help!!

  Hi,
  1. If i want to change IE9 GPO settings, how can i do? As on all the machines when i open GPMC, it shows IE10, 11 settings and not IE maintenance thing.
  IEM will no longer work on computers where Internet Explorer 10 or newer is installed, regardless of the Windows version it’s been installed on. You must update your settings using Group Policy Preferences, Administrative Templates (.admx), or the Internet
  Explorer Administration Kit (IEAK).
  http://blogs.msdn.com/b/asiatech/archive/2014/05/12/how-to-apply-the-content-of-ie-settings-in-gpo-which-used-iem-ie-maintenance-before-ie10-to-ie10-version-since-iem-has-been-deprecated-begin-from-ie10.aspx
  2. What is the significance of Require server verifications for all sites in this zone in the IE trusted sites? Also, it is checked by default and how can we change it using group policy?
  Only sites with https:// prefix can be added to the Zone, it assures a secure connection
  This option is not avilable via GPP, but we can control it via registry, the related keys are stored under
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  or
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  you can find detailed information in the following link
  http://support.microsoft.com/kb/182569/en-us
  Then we can deploy the registry setting to all via GPO.
  Yolanda Zhu
  TechNet Community Support

• How to create a group policy for a group not to logout from rdp

  there is already a global policy for all users in OU which will disconnect a rdp session after 15 min of inactivity and log user out in another 15 min, (logout 30minutes)
  how do I create another policy  for a group in that OU so that group user will not be logged out ( executives are asking for this)?

  Hi,
  In addition to Martin’s suggestions, we can also choose to change the scope of the existing GPO with Security Filtering.
  Regarding Security Filtering, the following article can be referred to for more information.
  Security filtering using GPMC
  http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx
  Filter Using Security Groups
  http://technet.microsoft.com/en-us/library/cc752992.aspx
  Best regards,
  Frank Shen

• Windows Server 2008 - Group policy for domain client to start/stop services installed on it

  Hello Experts
  I am a newbie to windows server administration , though did a Google  , but ended up with these question with my requirements
  I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
  domain ADMIN account .
  && now i am want to start/stop/restart services enabled for domain users  !! How do i achieve this !!
  basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
  what is the easiest way to achieve the same , (if not using GPO)???
  similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
  it ask for ADMIN credentials) 
  Thanks
  Mike~Ed

  Controlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
  The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
  or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
  If my answer helped you, check out my blog:
  Deploy Happiness

• Allow log on through Remote Desktop Services Group Policy for Domain Controllers

  Hello,
  We want to allow our Helpdesk Operators to be able to connect to Domain Controllers with the Remote Desktop Services. This is by default not allowed but according to many sites, it should be able to configure by using a Group Policy.
  We made a new Group Policy with the setting 'Allow log on through Remote Desktop Services' and 'Allow log on locally' (as an extra for testing) and applied Security Filtering to only use it for a specific Security Group. Our test user is a member of this
  security group and should be able to access the Domain Controllers now. However this isn't working.
  The error message we receive upon trying to connect:
  The connection was denied because the user account is not authorized for remote login.
  For troubleshooting, we also applied the Security Group for that setting in the Default Domain Controllers Policy but that doesn't seem to work either. We want to avoid customization on our Default Domain Controllers Policy but this was just a test case
  for solving our problem.
  What should we do to solve our problem?
  I hope to hear from you soon.
  Thanks in advance.

  Hi, I just found out what the problem was. This site helped me alot:
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  In my case, I had the group added to the Allow Logon Through Remote Desktop Services but was not added to the Builtin\Remote Desktop Users group. After knowing this I made some changes to our situation and are now using the builtin\Remote Desktop Users group
  rather than a new self made Security Group. I also added the Remote Desktop Users to the Allow Logon Through Remote Desktop Service in the Default Domain Controllers Policy as this is not done by default. By default only the Domain Administrators are able
  to logon through remote desktop services.
  You do not need the 'Log on Locally' permission within the Group Policies.
  In short:
  Add the desired users/groups to the 'Builtin\Remote Desktop Users' security group.
  Add the 'Builtin\Remote Desktop Users' security group to the 'Allow Logon Through Remote Desktop Services' within the 'Default Domain Controllers Policy'.
  Thank you anyway for the fast reply.
  Have a nice day!

• Group policy for Silent Java updates

  Hi,
  all users in my network getting popup messages for Java updates which is king of annoying when they are working on something. none of them got admin rights so they can not update java. 
  i don't want to go to every computer when they  got the popup and enter my credentials to allow update.
  is there any easy method (may be GP) to allow java updates to install with out asking admin details and with out giving popup.
  if i have to use scripting can some one assist me with the script ( i am a beginner with scripting).
  thank you,
  krishna 
  Krishna Gummadapu

  Hi,
  you have a few options.
  a) give the users the admin rights, so they can update Java.
  b) suppress the auto-update behaviour, so that Java never updates itself
  c) deploy the updated Java software to your computers (optionally also suppress the auto-update behaviour), and maintain deploying Java updates to your computers, forever.
  d) remove Java if it is not needed. Windows doesn't need Java, maybe some of your applications do need it.
  For (c), there are many options available to you, including Group Policy Software Installation, Startup scripts, System Center Configuration Manager, and many non-MS products which can perform software distribution for you.
  It can be a very similar challenge, for Adobe products, like FlashPlayer, AdobeReader, etc.
  There are many examples on www.itninja.com (formerly known as appdeploy.com), and many scripts on gallery/codeplex and in various deployment-focused blogs.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How to configure group policy for emet via a command line

  I have been tasked with installing emet on 50 servers that I only have access to with our patching server (so I can't remote in and open the gpedit gui). I can get it to install, but now the problem that I'm facing is I need to enable 6 of the group policies
  for emet. Is there a way to do this while installing it? or a way to do it after the install?

  cmd line you need to deal with is in the C:\Program Files (x86)\EMET 4.1 folder
  specifically emet_conf --refresh would tell the systems to pull in the settings from a GPO they have already applied.
  In a non - SCCM environment I would probably recommend using group policy preferences and create a task scheduler item on your servers that runs emet_conf --import
  \\fileserver\settingsfile.xml on some sort of automated basis. Then you can just configure a client like you need and run the emet_conf --export
  \\fileserver\settingsfile.xml whenever you need to change a mitigation etc and the clients will pick up on the change on their next run of the task scheduler item.
  In general installing on servers isn't a great idea and is not the intended use case for emet however if you are DoD/Gov then DISA has mandated it so won't argue there.  There's also the people that still have Internet access from servers so then it
  would make sense in that environment as well.
  CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response/FOPE) Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

• Windows Server 2012 Essentials - Implement Group Policy for the 1st time

  This is my first server. We have 15 users and 20 devices, all clients are running Win7 Pro.
  On the Dashboard, Devices tab, when I click on each device there is an option to implement Group Policy in the right-hand task pane. Does this mean I can implement it for one device at a time? Or will it happen for everyone in the domain?
  I'm hesitant to start. Is this something where I should wait for the weekend, so I can restore from a backup if need be?
  Thanks for your help
  Alan

  Time to get a basic Windows networking reference book and read up on group policy. Policies are applied by the system on a predicable refresh rate, which if memory servers is 15 minutes. This can be forced from the stations with the cli command "gpupdate
  /force" but in most cases there is little need to do so.
  Some, like folder redirection, only impact the stations on reboot/sign on
  Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.

• Group Policy for Win 98?

  I have setup the User Group Policy portion of Zenworks 3.2 SP3 for our Win2k
  box's (IE6 Tools menu restrictions) but I am perplexed as how to do the same
  to our Win98 box's? The Zen .adm files (admin.adm and common.adm) under
  Win98 User extensible Policies do not allow for changes to IE Tools menu
  restrictions. Is there a way to push IE changes with user login policies?
  Any Ideas.
  Thank you for your thoughts

  Douglas,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses: http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Very specific group policy for IE 11

  Got a very interesting GPO I need created. I need a GPO that forces all users on a certain machine to use InPrivate browsing at all times while they are using IE. Or even for a specific website. 
  I have an application that has a bug that is fixed by using private browsing, weirdly enough. To limit problems with users saying "But I did use private browsing" I would ideally like to force the use of it while they are on the machine. If I have
  to apply it to a specific group, that will be fine too, but the end result needs to be private browsing they cannot turn off at all. 
  Any suggestions? Open to Powershell solutions, or creative options. 

  Hi Noah ,
  The only group policy I have found related to the InPrivateBrowsing is this :
  User Configuration, Administrative Templates, Windows Components, Internet Explorer, Privacy and Turn off InPrivate Browsing
  But it is used to turn on /off the Inprivate Browsing feature and it can not be used to force the Inprivate Browsing .
  I am afraid the only good option is to create a shortcut for the user if you want the user to open the Internet Explorer in private browsing mode every time .
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Need help in setting up Group Policy for same user in local system and Terminal server

  Hi All,
  Currently our remote users are using our network using VPN client over internet.
  They are generally at their home computer and doing VPN as they have to work only in one RDP server for application.
  We actually have a OU created for these RDP users and assign then some strict policy like they can not use any other .exe,they can not user any explorer ,they can not even use windows explorer when they are on RDP they just use one exe of their application.
  Now what my management want is they want their home computers in Domain and want them to login via their same credentials they are using for RDP but they don't want them to restrict in their home computers with any strict policy.
  Now my confusion is how can I configure different policies for same users or same OU.
  Can any one guide me please...

  you can achieve this fairly easily with group policy.
  create an OU and put your remote desktop servers in that OU.
  configure both user and computer policies in a group policy and link it to that ou.
  you need to enable loopback mode - you may want it in merge or replace depending on your other policies you have. Probably replace though I would guess. this is set in the computer configuration > admin templates > system / group policy section.
  now remove the policy you have currently setup for your users on the users OU containing the rdp users. If you want you can move these users back to your main users OU.
  when your users login to the RDP server the settings in the user section of the GPO linked to the RDP Servers OU will apply.
  when the user logs in to their own computer the policies from the user OU and computer OU will apply - but not the more restrictive RDP OU.
  hope that makes sense.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn: