Internet Explorer security settings that you set with a Group Policy object are not propagated
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
MicrosoftInternet Explorer security settings in an organizational unit Group Policy may not be applied to a user whose account is in the organizational unit. This behavior occurs after the user resets the security settings, logs off, and then logs on again.
This behavior occurs because Internet Explorer security settings in Group Policy that has not changed are not to be applied to a user, even if the user has changed the same security settings in the local browser. If you change the local security settings, the settings in the local registry are overwritten.
To resolve this behavior, force the Internet Explorer settings in a Group Policy to always rewrite the appropriate registry keys when the user logs on to the computer:
- On a domain controller, open the Active Directory Users and Computers snap-in.
- Right-click the domain name, and then click Properties.
- Click the Group Policy tab, click the default domain policy, and then click Edit.
- Expand Administrative Templates under Computer Configuration in the Tree pane.
- Expand System under Administrative Templates, and then click Group Policy.
- Click Internet Explorer Maintenance Policy Processing in the Policy pane.
- Double-click Internet Explorer Maintenance Policy Processing to open the properties for Internet Explorer Maintenance Policy Processing.
- Click Enable on the Policy tab, and then click Process, even if Group Policy objects have not changed.
- Click OK to set the policy.
It takes approximately 45 minutes for this policy to propagate to all domain controllers and to all users. You can force the update on a user workstation if you type the following command at a command prompt on the user workstation:
Each Group Policy is identified by a 32-digit GUID. The default domain policy GUID always starts with "31B," and the default organizational unit policy starts with "6AC." To locate the GUID for any custom policy, right-click the container for the policy, and then click Properties. Click the Group Policy tab, click the policy, and then click Properties. The GUID is displayed on the General tab in the Unique Name box.
Each Group Policy is stored on the computer where it was created. For example, you may create the Group Policy setting in the %SystemRoot%\Sysvol\domain_name\Sysvol\Policies folder, where domain_name is the name of the domain. The folder is named as the GUID for that policy. There is an Adm folder, a machine folder, and a user folder. In the Adm folder, you can locate the Inetres.adm file. This is the file where the Internet Explorer settings are stored. You can open the file by using a text editor such as Notepad.
Article ID: 316702 - Last Review: 06/19/2014 14:21:00 - Revision: 3.0