I'd forgotten about this e-mail. I haven't been in touch with Microsoft much since this original e-mail due to holiday vacations but I'm expecting a call from them today. Their initial response was that they don't recommend using custom policies for applying the IE settings available to be managed by the IE maintenance policies. Of course that probably just means they wouldn't support it if I ran into issues.
I wish we were ready to with GPP. Unfortunately, this roaming profile migration takes precedence over our migration to 2008 AD. - Sean On Wed, Jan 5, 2011 at 7:57 AM, Free, Bob <[email protected]> wrote: > >I'm sure there's a reason the IE Maintenance Policies were created and > behave the way they do > > > > If you figure that out, let us know J > > > > They are one of the most maligned contraptions MS has ever come up with. A > few years ago I belabored the point with the GP PM and the answer was > basically, “We know, GPP will be the solution” > > > > We tried it briefly on Citrix a long time ago and went a different > direction. We do have them on some specialized workstations and they sort of > work but the desktop folks complain that if they have to move the PC out of > the policy’s scope, some elements of the policy linger no matter what they > do and the easiest solution is to re-image. > > > > *“IE Maintenance, is, to put it bluntly, a pile of crap code. So, you > often have to torture it to get it to do what you want.” Darren Mar-Elia -- > Group Policy MVP*** > > * * > > *From:* Sean Martin [mailto:[email protected]] > *Sent:* Monday, December 20, 2010 1:30 PM > *To:* NT System Admin Issues > *Subject:* IE Maintenance Policies > > > > After a few years of dealing with IE Maintenance Policies, I've finally > gotten fed up dealing with their apparent "flakiness" in Citrix environments > where IE is launched as a published app. It wasn't until recently that I > found out there are known issues with certain policy settings applying > correctly in this scenario. > > > > By flakiness, I'm referring to proxy settings, security zone and privacy > settings not applying correctly. > > > > The issues being faced were recently brought to light when we migrated one > of our departments to a new roaming profile environment. We currently use > roaming profiles in a Citrix environment with multiple application silos. > This has led to many profile related issues mostly due to LWW scenarios. > We've deployed new policies so that users logging into each application silo > will access a specific profile for that silo. > > > > Anyway, we wanted to be certain no lingering issues were brought into the > user's new profile so their old profiles were deleted. Upon their next > login, the migrated users had new profiles created. This highlighted the > issue where certain IE policy settings were not being applied correctly. I > worked with Microsoft for a couple of days and tried different solutions > (switching between preference mode and no preference mode), running a login > script with "runonce.exe /alternateshellstartup", etc. Nothing appears to be > working and RSOP shows no issues. > > > > As a result of all this, I decided to put together my own .adm templates > with the relavant policy settings. My initial testing indicates everything > works perfectly. Although trusted sites are correctly configured, they do > not appear within the IE options dialogue, which is something I can live > with. Other than the additional overhead incurred whenever a change needs > to be made, and possibly having to redo my .adm templates if newer versions > of IE change the locations of these settings, can anyone think of a reason > why I would not want to move forward with my custom policies? I'm sure > there's a reason the IE Maintenance Policies were created and behave the way > they do. I just want to be sure I'm not missing out on some important > aspect. > > > > - Sean > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
