Hmm… the only thing that even remotely comes to mind then is if by chance you had an old IE Maintenance policy that wasn’t fully deactivated which is taking precedence, as I had to troubleshoot one about 8 to 10 years ago. That particular portion of GPO is a strange beast in that it actually generates a file in the GPO that gets applied like an old IEAK setting would. If you remove settings from that portion of a policy, you have to be careful to also clean it up, which is done by right-clicking and choosing an option something along the line of disable, remove, or deactivate for that policy section.
I would give you more exact syntax, but we moved away from this setting partly because of IE 10 changes (at the time) that we were going to use GPP for and because it’s actually no longer visible and supported (deprecated) in newer version versions of GPOs, I think for IE 11. So, depending on which editor you’re using, it may only show up as extra registry settings, but I’m not sure you can even see that much. https://technet.microsoft.com/en-us/library/jj890998.aspx https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11 And according to the second article, those settings won’t even apply to IE 10 or newer, although YMMV. It’s possible you may have other IE Maintenance options hiding in an old policy that you’re not aware of where it wasn’t deactivated/removed. You can see the file itself in the Sysvol GUID policy folder, but I wouldn’t recommend trying to change anything from there, just to see if it exists. -Bonnie From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Friday, January 27, 2017 10:52 AM To: [email protected] Subject: RE: [NTSysADM] Group Policy question Not solved yet. We’re using User Configuration – Policies – Windows Settings – Internet Explorer Maintenance – Connection/Automatic Browser Configuration We have another policy that disables the Connections tab. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Friday, January 27, 2017 7:43 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question Did you solve this yet? Just getting caught up, and I’m wondering if you may be using GPP to apply the proxy settings like we do. If so, are you using any targeting it the preference item that may exclude the user accounts in question? -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, January 25, 2017 12:17 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question Scratch that. Disabling the link makes the GPO show as Denied in the report. (I forgot to do “gpupdate” first.) From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Charles F Sullivan Sent: Wednesday, January 25, 2017 3:05 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question There is one thing I just thought of. Is the GPO link enabled in the OU that is applicable to the user? I’m noticing that if the link is disabled, the report shows the GPO as being applied but shows none of the settings. Sounds like your exact behavior. In the report there’s nothing that says whether or not it’s linked as far as I can see so you’d have to actually check the OU (or parent OU or whatever is applicable). There’s also the possibility of Block Inheritance on the user’s OU, but I don’t think you would see the GPO as applied in in the report if that were the case. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Heaton, Joseph@Wildlife Sent: Wednesday, January 25, 2017 2:13 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question I have an auditing software that can tell me where a user logged in. I ran that on the user in question and myself. We have not been logging in on the same DC, but I did look at both of the DCs that we were using, and compared the policy folder timestamp there with the timestamp on my main GP management server. The timestamps are all the same. That said, if I’m looking at the GPO, on Details tab, it shows Modified with a timestamp of yesterday. The timestamp on the policy GUID folder in sysvol\domain\Policies is from April of 2016. Am I looking in the wrong place, or does that sound odd? Also, I did run repadmin /showrepl, and repadmin /replsummary, and neither of those had any errors. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, January 25, 2017 9:47 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question I’m pretty stumped, but maybe you could try making sure that when you run GPMC for the other user, that it uses the same DC as when you run it for yourself to confirm it’s not something like a replication issue. Alternatively, get the GUID for the GPO, then check the respective folder under SYSVOL on each DC to make sure that gpt.ini has the same time stamp on each one. (Assuming you don’t have a large number of DCs to check!) Also, if you could maybe inconvenience the user to log on to your workstation so that a profile is created, then you would be able to choose that account for the user settings next time you run RSOP. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Heaton, Joseph@Wildlife Sent: Wednesday, January 25, 2017 11:58 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question The settings themselves are not being applied. The last time group policy was processed: 1/25/2017 8:26:02 AM (from summary page) Under Applied GPOs, the policy in question is listed as applied. The odd thing is this: [cid:[email protected]] I’m wondering what the Revisions are off. If I look at the GPO itself, on the Details tab, it shows the same revision in AD and sysvol. On the specific policy I’m looking at (CDFW Proxy Policy), there are no WMI filters. It’s linked to 2 OUs, not in a direct path of each other, and it is applied to Authenticated Users. The above is for a user, on their machine. If I run the same report for me on my machine, I do have the settings applied, the settings do appear in the report, and the revision info is as above. This is not a new policy. It was created 9/1/2015, and it is used to set the proxy settings in IE. It has been working well since it was created, but in the past couple of days, I’ve heard of a couple of users that it is no longer working for. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Wednesday, January 25, 2017 7:17 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question Is it only that the reporting is wrong, or does the user also not get the settings applied? When you run the Results Wizard from GPMC on the Summary tab are there any errors and does it show a recent time stamp for the last user policy refresh? On the Details tab under User Details > Applied GPOs, if you show the details for the GPO in question does everything look right? Are there any Security Filters or WMI Filters that might affect the user? (Possibly certain permissions like Allow Read but not Apply GP might cause this, but I’m not certain.) From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, January 24, 2017 5:25 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question OK. I’ve done the Group Policy Results wizard for the user in question on their PC, and for myself on my PC. I have the policy applied correctly, the user does not. The Group Policy Results wizard shows the policy in question is applied, but the settings don’t show up in the report. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Tuesday, January 24, 2017 1:31 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Group Policy question It worked correctly for me when I tried to reproduce the problem. Try the Group Policy Results Wizard in the GPMC for the same user to see if you get different results. The HTML output is better there anyway. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, January 24, 2017 3:50 PM To: 'NT System Admin Issues Discussion list' <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] Group Policy question What would cause gpresult /USER jsmith /R to show a specific group policy as being applied, but if you do a gpresult /USER jsmith /H c:\test.html, the report does not show any of the settings of that policy? Joe Heaton Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: (916) 323-1284 Every Californian should conserve water. Find out how at: [SaveOurWater_Logo]<http://saveourwater.com/> SaveOurWater.com<http://saveourwater.com/> · Drought.CA.gov<http://drought.ca.gov/>
