Internet Explorer settings and group policies

[SBarrie]

We use group policies to lock down a lot of the settings on desktop PCs. However the Internet Explorer security settings from the domain group policy seem not to be applying correctly on the backup domain controller. It also seems that any client authenticated by the backup DC picks up its security settings from that machine. No matter what I change the IE settings on the BDC to they keep reverting back to what they were - which is not what I set manually, nor what I set in the group policy.

It makes no difference if I reset the security settings to what they should be and reimport into the group policy. I am not too concerned about the client settings on the BDC because no one is logging on to use this as a client. What concerns me is that this DC is applying the wrong settings to the client PCs it authenticates.

This started happening after an upgrade to IE6 SP1. The same version of IE6 is on both DCs. How do I force the BDC to apply the group policy on the PDC?

 

[koquito]

Didi you check if those policies you are applying have the NO Override OPtion checked? A+, MCP, CCNA
marbinpr@hotmail.com

Keep fighting for your knowledge!

 

[SBarrie]

The policies do have no override. The settings that are applying were never configured in a group policy anyway. However, manually applied settings are still reverting back again. The puzzle is that what I set manually is not retained and what I set in the group policy is not being applied consistently.

 

[SBarrie]

Since no one has responded here is some more information. I downgraded the browser on the BDC thinking this problem was related to the last IE upgrade, but it is still not properly holding settings or applying these to clients. It did to begin with when I downgraded the browser and then forced a refresh of the group policy on the BDC (using "secedit /refreshpolicy user_policy /enforce&quot, but later I checked again and the IE security settings had gone back to what was there previously.

What I really need to know is how to clear out whatever it is that holds the IE security group policy settings on the BDC and force it to do a clean rebuild from the PDC.

Another problem I have is that changed machine policies are not updating (user policies are). It seems to be OK if you force a group policy refresh on the PC using "secedit /refreshpolicy machine_policy /enforce&quot and then reboot. This does not seem to be a problem with one DC not applying machine policies correctly, just that machine policy updates are not happening automatically.

 

[Willy2782]

Is your DNS Server working properly....

 

[SBarrie]

Yes. The server is functioning normally otherwise. The only problem is with the application of group policies.

 

[koquito]

why don't you check the default domain policies? A+, MCP, CCNA
marbinpr@hotmail.com

Keep fighting for your knowledge!

 

[SBarrie]

It is the default domain policy and it is set to have no overrides (see previous post).

 

[SBarrie]

I reset the security settings to default level for all zones apart from the Internet zone (i.e. Local intranet, Trusted sites and Restricted sites zones). Now when I set the correct Internet zone security settings on the BDC and import these into the group policy these settings are now retained.

However, when I then changed the Trusted Sites settings back from the default level these seemed to be retained, but 12 hours later on the BDC I found they had gone back to the original settings from 2 days before (i.e. not the default settings or the customised settings I set yesterday).

There are two questions. Is there some known problem with importing Trusted sites? And why will the BDC not retain the group policy security settings for the Internet zone unless these have been imported into the group policy on the BDC itself?