Its a problem come across most often, you change something in your internet explorer Group Policy Object and now suddenly a dozen or so users are getting the information bar or have popup’s informing them they are switching to https connections. Anyone who has worked with group policy will tell you to thread lightly when making IE related settings change in group policy.
And in part they would be right, the thing about group policy changes is that you really have to test and find side effects from a change but more often or not most administrators tend to make the changes to the live GPO.
This then creates a problem, its more than likely that there will be more than one GPO administrator and its even true to state that most people do not document group policy changes via a change log or some form of official change process. When making changes to a live GPO its always important to either:
- Back up the existing gpo to a shared location where it can be restored easily by another Administrator if needs be.
- Document and inform all GPO administrators of what change you are making
This is a general best practice advice when making GPO changes, if you are a Microsoft SA customer you may be able to avail of AGPM which is free to Microsoft SA customers as apart of the Microsoft Desktop Optimisation Pack (MDOP) or the Vista Desktop Optimisation Pack. Another product to look at is Quest Group Policy Manager. Both products give the ability to view audit history, version control changes with approvals and revert back to previous policies in seconds.
Internet Explorer GPO Best Practice
By: Michael O’Brien
Name it correctly
One of my pet hates when it comes to Group Policy is policy names, i believe in structured naming and not “Copy of Joes Policy” etc…
I recommend naming GPO’s in this format:
Scope_Function (Scope: Global – Effects everyone | Specific – Effects OU / Group)
If i get calls in saying that everyone is getting a Username and Password Prompt for Sharepoint, ill know then its a Global Policy. But if i get calls in to say that HR or Marketing are getting the information bar when running an ActiveX based website, i know its then specific to those users.
Keep your Policies Separate
Another general GP suggestion is to separate out what your GPO’s are doing, just because you can put computer and user settings into a GPO doesn’t mean you should have one global GPO for setting everything for your Users and Computers; If you get any form of corruption, be it GPT or general file system corruption you want to minimise the impact of any such issues to your users. If you need to do logon scripts, Folder redirection and Computer Settings, then do 3 separate GPO’s turning off the User or Computer side pending on the policy you create.
Avoid importing Security zones & content ratings
It might seem like a good idea at first but importing these settings has repercussions later on when you go to edit them again, you might not be editing them on the same Computer as you did previously.
This is a very simple rule i have, use DNS dont start putting IP addresses in your proxy exceptions it only causes more problems. If the server can be reached via Intranet DNS zone (fqdn) then setup that exception. If your running an Internal Webserver get a Cname record created for it e.g hrweb.localdomain.local. Instead of giving the users http://22.214.171.124 give them http://hrweb.localdomain.local they are more than likely going to remember the name before the IP address, this may reduce calls for X Y and Z user being unable to access Intranet sites because of mistyped IP addresses or Servers changing IP.
Define your Intranet DNS Zones
Another one of my simple rules setup your zone map for Intranet zone, if your hitting your sharepoint url and your getting prompted for a password + you notice that IE thinks your on the internet zone then its time to define them zones. Intranet zone settings are more relaxed, by defining sites or DNZ zones that are safe for your Users web browser to enable scripting etc…
Set your proxy settings up high
If you use a proxy to get onto the internet set it at the root level of your domain so that its scope covers all of your users, dont set it down low at OU level because if you ever untick the proxy your users may not get internet…. (covering this in a later blog post).