Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Internet Explorer security settings that you set with a Group Policy object are not propagated


View products that this article applies to.

Symptoms

Microsoft Internet Explorer security settings in an organizational unit Group Policy may not be applied to a user whose account is in the organizational unit. This behavior occurs after the user resets the security settings, logs off, and then logs on again.

↑ Back to the top


Cause

This behavior occurs because Internet Explorer security settings in Group Policy that has not changed are not to be applied to a user, even if the user has changed the same security settings in the local browser. If you change the local security settings, the settings in the local registry are overwritten.

↑ Back to the top


Resolution

To resolve this behavior, force the Internet Explorer settings in a Group Policy to always rewrite the appropriate registry keys when the user logs on to the computer:
  1. On a domain controller, open the Active Directory Users and Computers snap-in.
  2. Right-click the domain name, and then click Properties.
  3. Click the Group Policy tab, click the default domain policy, and then click Edit.
  4. Expand Administrative Templates under Computer Configuration in the Tree pane.
  5. Expand System under Administrative Templates, and then click Group Policy.
  6. Click Internet Explorer Maintenance Policy Processing in the Policy pane.
  7. Double-click Internet Explorer Maintenance Policy Processing to open the properties for Internet Explorer Maintenance Policy Processing.
  8. Click Enable on the Policy tab, and then click Process, even if Group Policy objects have not changed.
  9. Click OK to set the policy.
Note It takes approximately 45 minutes for this policy to propagate to all domain controllers and to all users. You can force the update on a user workstation if you type the following command at a command prompt on the user workstation:
secedit/refreshpolicy user_policy/enforce

↑ Back to the top


More information

Each Group Policy is identified by a 32-digit GUID. The default domain policy GUID always starts with "31B," and the default organizational unit policy starts with "6AC." To locate the GUID for any custom policy, right-click the container for the policy, and then click Properties. Click the Group Policy tab, click the policy, and then click Properties. The GUID is displayed on the General tab in the Unique Name box.

Each Group Policy is stored on the computer where it was created. For example, you may create the Group Policy setting in the %SystemRoot%\Sysvol\domain_name\Sysvol\Policies folder, where domain_name is the name of the domain. The folder is named as the GUID for that policy. There is an Adm folder, a machine folder, and a user folder. In the Adm folder, you can locate the Inetres.adm file. This is the file where the Internet Explorer settings are stored. You can open the file by using a text editor such as Notepad.

↑ Back to the top


Properties

Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

↑ Back to the top


Keywords: KB316702, kbprb, kbenv

↑ Back to the top

Article Info
Article ID : 316702
Revision : 6
Created on : 3/2/2007
Published on : 3/2/2007
Exists online : False
Views : 463