The Sysadmins

Tips and tricks from the Sysadmins

Category: Group Policy (page 1 of 2)

Internet Explorer 11 – HTML5 Black Screen

Issue

You are unable to play HTML5 videos in Internet Explorer 11, the HTML5 player displays a black screen only.

Fix

A post on the MSDN Blog states: In order to play HTML5 videos in the Internet Zone, you need to use the default settings or make sure the following registry key value 2701 under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 is set to 0.

However, when setting the value of 2701 to 0 in this location the value does not stick and reverts back to 3. Process Monitor showed that Group Policy was setting the value to 0, and then back to 3. Despite putting this policy last, and trying various other tactics I was unable to change this behaviour.

To apply this setting, you can also use the following key location: HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3.

When set here, the value of 2701 will not revert back to 3 (disabled), and HTML5 video playback will be enabled.

You can set this via GPP as below.

HTML5_Black_01

Deploying Microsoft LAPS – Part 2

We recently covered preparing Active Directory and deploying the LAPS CSE/Client to the machines you wish to manage in part 1 of deploying Microsoft LAPS. Part 2 covers “Turning on” LAPS via Group Policy, the LAPS process and how it works once deployed.

Group Policy

On your LAPS management machine, head to C:\Windows\PolicyDefinitions, there you will find AdmPwd.admx and AdmPwd.adml (under en-US). Copy these files into your Group Policy Central Store, if you do not have a Central Store (and do not which to create one) you can launch Group Policy Management Console directly from your management machine, or copy the ADMX/ADML to a Domain Controller where you will be editing the policy.

LAPS2-1

Create a new GPO and navigate to Computer configuration -> Policies -> Administrative Templates -> LAPS

LAPS2-2

Password Settings
This is where you’ll choose your password policy. The default is complex passwords, 14 chars and a password age of 30 days (machines will automatically change their password when this is met).

Continue reading

Group Policy – GPResult Examples

GPResult is a command-line utility for determining the resultant set of policy for a given user and/or computer. In other words, it shows you what Group Policy Objects have been applied and their settings. This is typically one of the first tools I go to when troubleshooting Group Policy from a client once basic connectivity has been confirmed (e.g. Network/DNS). The tool itself is very simple to use and I will run through some common examples below.

List GPOs Applied with Summary Data

Gpresult /r

/r Displays RSOP summary data

This is pretty useful when you simply want to see what GPOs have applied and in what order. It will also display summary data, such as last time group policy was applied, which Domain Controller it was applied from, the site, security groups and if the slow link threshold has been activated. If you are unsure if a GPO has been applied, this is a quick way of checking.

Here we see that 4 GPOs have applied to the Computer settings portion.

GPresult /r

If you don’t want to view both Computer and Users settings in the output you can request one or the other with the /scope flag.

gpresult /r /scope:user
gpresult /r /scope:computer

The output reads fairly well from within the command prompt, but if you need to export the output you could use either of the following.

Gpresult /r > gpresult.txt Export output to a text file
Gpresult /r |clip Export output to Windows clipboard

I can’t see the Computer Settings?

If UAC is enabled, running GPResult without elevating the command prompt will only show you the user settings. If you want to see both user and computer settings, elevate the command prompt by either tapping the winkey+cmd then ctrl+shift+enter or right click on the command prompt and select run as administrator. If you elevate with an admin account different to the currently logged in user (common if the user does not have administrator rights), then you will receive an error message stating INFO: The user “domain\user” does not have RSOP data. This is because GPResult is using the elevated user’s context. To work around this, specify the standard user that you are troubleshooting.

gpresult /r /user:sa\edward.thomas

GPResult-5

Generate HTML Report

Gpresult /h report.html /f
Gpresult /h report.html /user:sa\edward.thomas /f

/h Saves the report in HTML format
/f Forces GPresult to overwrite the file name specified with /h
/user Specifies the user name for which the RSOP data is to be displayed

To get a more graphical view of what’s going on, you can generate a HTML report. This gives a detailed break down of each setting and the GPO from which it came. This view is particularly nice as you can show all and use ctrl+f to find a particular policy or setting.

GPResult /h html report

Run GPResult on Remote Computer

Gpresult /s server1 /r

/s Specifies the remote system to connect to

This allows you to run GPResult on a remote system, all of the above applies.

GPresult Remote Computer

The following GPOs were not applied because they were filtered out

Filtering Denied Security or Not Applied Empty

You may see this for a few reasons. The first that the policy is empty in which case you’ll see Filtering: Not Applied (Empty), this is fairly self explanatory. The second is Filtering: Denied (Security), which typically boils down to the “Apply Group Policy” permission on the GPO. You may also see Filtering: Denied (Unknown Reason) which is similar to (Security) in that the “Read” permissions has been denied.

To review the last two examples, launch the GPMC (Group Policy Management Console). Find the offending GPO, and select Delegation- from there you may see an additional group or a single user or machine that has been added.

GPO Delegation Permissions

Click on advanced and review the permissions against the object. In this case you can see that the Seven computer object has been denied Apply Group Policy resulting in the Filtering: Denied (Security) message.

Deny Apply Group Policy

If in doubt, select Advanced -> Effective Access and enter the required computer or user object. If you scroll down to around halfway you’ll see the Apply Group Policy permission with either a green tick of a red cross against it. If deny read has been granted every permission will have a red cross next to it.

Effective Access for GPO Permissions

I hope this gives you the basics behind GPResult and some good real world example to aid in your Group Policy troubleshooting.

Group Policy – Removing Internet Explorer Maintenance Settings

In the last few posts we’ve looked at moving away from Internet Explorer Maintainence within Group Policy as it has been deprecated from Internet Explorer 10 and above. There are two clean methods to remove these settings from Group Policy, the first is simply unlinking the GPO that has been configured with these settings. However if you have configured IEM within your Default Domain Policy or another GPO that you’d like to continue using, you are able to remove any settings configured with Internet Explorer Maintenance by right clicking and choosing Reset Browser Settings.

Removing Internet Explorer Maintenance Settings

Group Policy – Internet Explorer Security Zones

There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance (IEM) has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.

Site to Zone Assignment List

Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

Internet Explorer Site to Zone Assignment

Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.

Internet Explorer Trusted Sites

Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

In this example I have added http://intranet.corp.local to the Trusted sites (2).

Zone Assignments

Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.

Trusted Sites Greyed Out

If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.

Group Policy Preferences Registry Items

This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.

I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.

Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.

GPP Registry to Set Security Zones

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
  • Value name will typically be http or https
  • Value type is REG_DWORD
  • Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

This is what you will see on the client machine.

Trusted Sites Not Grayed Out

If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.

Require server verification (https:) for all sites in this zone

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • Value name is Flags
  • Value type is REG_DWORD
  • Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal

IEGPZones8

Takeaway

  • User Site to Zone Assignment to prevent users from editing the Security Zone Sites
  • User Group Policy Preferences to allow users to edit the Security Zone Sites

Group Policy – Internet Explorer 11 Group Policy Preferences

With Internet Explorer 11 being released a couple of days ago for Windows 7 / Server 2008 R2 and Internet Explorer Maintenance being deprecated since IE10- you’re going to want to use one of the alternative methods (Group Policy Preferences, Administrative Templates or the Internet Explorer Administration Kit) to configure Internet Explorer for your organisation. If you’re used to configuring Internet Explorer with Group Policy Preferences, you’ll be thinking “not a problem” and install IE11 onto an administration machine or a server assuming it will add the option to create a new GPP for Internet Explorer 11. This is what you’ll see if you try that.

Note – You will need Windows 8 / Server 2012 or above with RSAT to see the Group Policy preference settings for Internet Explorer 10.

Group Policy Preferences Internet Explorer 10

Where is the option to add an Internet Explorer 11 Group Policy Preference Internet Settings Policy?

There is no option. The Internet Explorer 10 option actually covers Internet Explorer from version 10 to … 99! That’s right 99. To prove this and to visually confirm this is the case, create a policy by using Internet Explorer 10 Internet Settings and find the unique ID of the GPO.

IE11GPP

Browse to \\DC\SYSVOL\Domain\Policies\uniqueID\User\Preferences\InternetSettings and open the InternetSettings XML document in notepad. Note the 5th line which states version 10.0.0.0 -> 99.0.0.0.

IE10 GPP Internet Settings

If you’re looking to use Group Policy Preferences to configure Internet Explorer 11, using the Internet Explorer 10 Internet Settings option will work for version 11 and future releases of Internet Explorer.

Group Policy – Internet Explorer 10+ and the Death of IEM

If you’ve used Group Policy Internet Explorer Maintenance (IEM) to configure your organisations Internet explorer settings and are looking to upgrade to IE10 or above you will find that the settings defined with IEM will no longer work. Not only that but if you try to modify the GPO from a machine running IE10 you will not be able to modify the GPO settings.

DeathofIEM

Settings configured with IEM are not automatically removed when you upgrade from IE9 -> IE10, however any changes made to the IEM GPO will not be reflected by the clients and any new users logging onto a machine with IE10 will not receive the IEM settings.

  • If UserA is logged onto a Windows 7 machine running IE9 and the user updates to IE10. The settings from IEM will be retained- but not enforced by Group Policy.
  • If UserB logs onto the same Windows 7 machine for the first time after IE10 has been installed, they will not receive any IEM settings.
  • If you are deploying or using Windows 8 (which ships with IE10) no settings from IEM will apply, ever.

IEM has been dropped in favour Group Policy preference, Administrative Templates and the Internet Explorer Administration Kit 10 (IEAK 10). This post will run you through a couple of common settings you may need to migrate across. I will cover setting the home page and proxy settings.

Setting Home Page with Group Policy Preferences

Open the Group Policy Management Console and create a new GPO. Browse to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings. Right click and choose New -> Internet Explorer 10. Why isn’t IE11 listed? See here.

Note – You will need Windows 8 / Server 2012 or above with RSAT to see the Group Policy preference settings for Internet Explorer 10.

Group Policy Preferences Internet Explorer 10

Enter the URL of the Home page you wish to set, and select start with home page. Notice the red dots underlining the home page entry.

Group Policy Preferences Internet Explorer 10 Home Page

You must press F5 (or F6), to confirm the entry. If you do not the setting will not be applied. Once you have done so, the entry turns green.

Function keys:

F5 – Enable all settings on the current tab.
F6 – Enable the currently selected setting.
F7 – Disable the currently selected setting.
F8 – Disable all settings on the current tab.

Group Policy Preferences Internet Explorer 10 Home Page F5

Setting a Proxy with Group Policy Preferences

Create or modify an existing Internet Settings policy as explained above, this time head over the connection tab -> Lan Settings.

Internet Explorer 10 Group Policy Preferences Proxy Setting

Specify the proxy, again note the red dots showing that the setting have not been confirmed. Press F5 to confirm.

Internet Explorer 10 Group Policy Preferences Proxy Setting F5

Takeaway

  • Internet Explorer Maintenance will NOT apply to to Internet Explorer 10 or above
  • You will not be able to modify existing IEM GPOs from machines with IE10 or above installed
  • Press F5 to confirm entries made to Group Policy Preferences Internet Settings, basically- make sure you’re green!
Older posts