Here's the scenario:
Domain is Server 2003 SP1/2000 Server SP4 at 2000 Functional Level, clients are mixed 2000 SP4 and XP SP2.
I have 2 GPOs at the root of my Domain: Default Domain Policy and Internet Settings. The latter is kept separate so that I can implement a "No Internet Access" security group.
I'm aware of the XP SP2 bug where Application Data Folder Redirection kills IE Maintenance policies, and that does not apply in my case.
Default Domain Policy contains no Internet Explorer Maintenance settings. I've verified this a number of ways, including the absence of an IEAK folder in the GPO folder under Sysvol.
I need to change some settings in the Trusted Sites security zone, and have mode the necessary modifications in my Internet Settings GPO. All is well so far.
Yet these settings do not come down onto PCs. Using RSOP I can see that - for some reason - Default Domain Policy takes precedence for these settings, and deploys the defaults to my users.
Linking my Internet Access policy to other OUs further down the tree does nothing to change this situation. Nor does switching it to "enforced". My AD replication is fine, everything has just been recently health checked and there are no errors. Windows Firewall is definitely switched off.
I could put the security zones settings into my Default Domain Policy, but that would mean having to split related settings across two different GPOs, which I really don't wish to do.
Anybody know what on earth is going on there?
________________________
Prevention is better than cure - fix it before it becomes broken.
Domain is Server 2003 SP1/2000 Server SP4 at 2000 Functional Level, clients are mixed 2000 SP4 and XP SP2.
I have 2 GPOs at the root of my Domain: Default Domain Policy and Internet Settings. The latter is kept separate so that I can implement a "No Internet Access" security group.
I'm aware of the XP SP2 bug where Application Data Folder Redirection kills IE Maintenance policies, and that does not apply in my case.
Default Domain Policy contains no Internet Explorer Maintenance settings. I've verified this a number of ways, including the absence of an IEAK folder in the GPO folder under Sysvol.
I need to change some settings in the Trusted Sites security zone, and have mode the necessary modifications in my Internet Settings GPO. All is well so far.
Yet these settings do not come down onto PCs. Using RSOP I can see that - for some reason - Default Domain Policy takes precedence for these settings, and deploys the defaults to my users.
Linking my Internet Access policy to other OUs further down the tree does nothing to change this situation. Nor does switching it to "enforced". My AD replication is fine, everything has just been recently health checked and there are no errors. Windows Firewall is definitely switched off.
I could put the security zones settings into my Default Domain Policy, but that would mean having to split related settings across two different GPOs, which I really don't wish to do.
Anybody know what on earth is going on there?
________________________
Prevention is better than cure - fix it before it becomes broken.