| Author | Messages | |
laurahcomputing
Posts:43
 | | 07/16/2008 6:57 PM |
| Darren,
On a related note - have you found it to be true that XMLLite can't be
pushed to clients via WSUS? I've been digging around to see if I'm just
missing something obvious, or if I'll need to do a GP deployment of the
XMLLite MSI before I can push out the CSE's out en masse.
- Laura
On Fri, May 30, 2008 at 10:08 AM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
> Gabriele-
>
> You are correct. You need to install the XP and/or 2003 Client Side
> Extension install package(s) for GP Preferences and also a related package
> called XMLLite, that you will find a link to on the CSE's download page.
>
>
>
> And yes, you will need to manage those settings using Vista, SP1 with
> RSAT/GPMC or from a 2008 box with GPMC.
>
>
>
> Darren
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabriele Scolaro
> *Sent:* Thursday, May 29, 2008 11:36 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Manage IE with GPO
>
>
>
> Darren,
>
>
>
> thank you very much for your follow up.
>
>
>
> I've just heard of Group Policy Preferences… is it possible to install it
> on Win2003 AD Environment where all clients are Windows XP (I've seen
> there's update KB943729 for 2003/XP)?.
>
> I think it's possible as long as I use a Windows Vista with RSAT to manage
> them, am I correct?
>
>
>
> Thanks – Gabriele.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Darren Mar-Elia
> *Sent:* giovedì 29 maggio 2008 21.43
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Manage IE with GPO
>
>
>
> Gabriele-
>
> I apologize on the delay in response on this. Bottom line—I was wrong about
> Listbox ExplicitValue. Essentially what I was seeing is a unique behavior in
> ADM. What MS did with the Site to Zone Assignment List is that they
> implement a separate Client Side Extension, call IE Zonemapping, that reads
> out of the policy file created by the ADM, and using that to create the
> separate keys under that Domains key. So, it does not look like there is a
> way of doing this in ADM. I tried mucking with an ADM to trick it into using
> that same Client Side Extension but making the change to the regular IE keys
> you have below, but it wasn't fooled J. Bummer.
>
>
>
> Here's another option—if you have Group Policy Preferences installed in
> your environment, you can use the Registry extension to do this!
>
>
>
>
>
> Darren
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabriele Scolaro
> *Sent:* Tuesday, May 27, 2008 5:27 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Manage IE with GPO
>
>
>
> Ops sorry! I meant doing an ADM under the non-policy key
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\Domains].
>
>
>
> So you're saying that with ListBox/Explicit I would be able to control the
> creation of subkeys and achieve the following, that is "*.
> mycorpdomain1.com", "*.mycorpdomain2.com", "*.mycorpdomain3.com"?
>
>
>
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\Domains\mycorpdomain1.com]
>
> "*"=dword:00000001
>
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\Domains\mycorpdomain2.com]
>
> "*"=dword:00000001
>
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\Domains\mycorpdomain3.com]
>
> "*"=dword:00000001
>
>
>
> Thanks – Gabriele.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Darren Mar-Elia
> *Sent:* martedì 27 maggio 2008 6.26
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Manage IE with GPO
>
>
>
> Gabriele-
>
> When I tested this on my Vista system I noticed that IE 7 would show a
> message within the Security page that indicated that "some settings were
> controlled by the administrator" when the policy was enabled, even though it
> did not show a change in zone security, which is rather odd. I would say
> test it to ensure that domain.com is truly exhibiting Low security
> behavior, but you are using the correct policies.
>
>
>
> And yes, the locking out of zones is a function of using the Admin.
> Template approach to site to zone assignments. If you use IEM, then users
> can still optionally add their own, but that has its own challenges.
>
>
>
> As for doing a custom ADM, you can certainly do this but if you do it under
> the same reg key as ADM templates, you will still exhibit the locked down
> behavior. If you were doing a custom ADM, you would have to do it outside of
> the policy keys, in the normal IE configuration keys. And, there is a way to
> create a reg key—this is done automatically using ListBox Explicit Part
> types in ADM syntax.
>
>
>
> Darren
>
>
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Gabriele Scolaro
> *Sent:* Monday, May 26, 2008 6:52 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Manage IE with GPO
>
>
>
> I've always done my best to keep away from managing IE with GPO, but this
> time I have to. L
>
> To make sure some "new" corporate applications work, I've been asked to
> simply add "*.domain.com" suffix to the Intranet Zone and set to the
> security level for that zone to Low.
>
>
>
> In the past I tried to use IEM, but it is a bummer. This time, I've just
> set the following settings in the GPO:
>
> - Computer Configuration\Administrative Templates\Windows
> Components\Internet Explorer\Internet Control Panel\Security Page\Intranet
> Zone Template\Enabled – Low
>
> - Computer Configuration\Administrative Templates\ Windows
> Components\Internet Explorer\Internet Control Panel\Security Page\Site to
> Zone Assignment List\Value Name: *.domain.com, Value:1
>
>
>
> Is this correct? I am asking this because I don't see the zone security
> level reflected in the Tools/Options/Security pane.
>
>
>
> Also I noticed that since the GPO is applied, the user can't edit ANY Zone
> Site definition (e.g. add or remove sites in the Trusted Sites zone).
>
> I thought about creating an ADM to add "*.domain.com" suffix to the
> Intranet Zone, but I see that IE creates a site entry as a _*SUBKEY*_ of
> [HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\Domains], so I can't think of a smart way of doing an ADM.
>
>
>
> As I supposed… I'm lost with GPOing IE! L
>
> Any help would be much appreciated.
>
>
>
> Thanks – Gabriele.
>
>
>
>
>
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server System - Directory Services
https://mvp.support.microsoft.com/profile/laura
Author: _Active Directory Consultant's Field Guide_ (
http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (
http://tinyurl.com/z7svl)
| | | |
| gabriel/tfi
Posts:159
| | 07/16/2008 7:01 PM |
| Aint it possible to create an MSI wrapper that runs a silent update
installation?
(Windows-en-US-KB943729-x86.exe /quiet and
WindowsXP-KB915865-v11-x86-ENU.exe /quite)
Regards Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: venerdì 30 maggio 2008 16.43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE
with GPO]
Laura-
Good question. Sadly, Im not a WSUS guy so Im not sure of what its capable
of, but the XMLLite package is bundled like a hotfix and in fact there is no
MSI that I see for it. This means using GP to push it might be cumbersome
unless you repackage it. Actually, same holds true for the GP Preferences
CSE installs as well. None of them were packaged in MSI to allow easy
deployment via GP..ironically. I heard a rumor that that may be fixed but as
of yet, Ive not seen it.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Laura E. Hunter
Sent: Friday, May 30, 2008 7:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with
GPO]
Darren,
On a related note - have you found it to be true that XMLLite can't be
pushed to clients via WSUS? I've been digging around to see if I'm just
missing something obvious, or if I'll need to do a GP deployment of the
XMLLite MSI before I can push out the CSE's out en masse.
- Laura
On Fri, May 30, 2008 at 10:08 AM, Darren Mar-Elia <darren@sdmsoftware.com>
wrote:
Gabriele-
You are correct. You need to install the XP and/or 2003 Client Side
Extension install package(s) for GP Preferences and also a related package
called XMLLite, that you will find a link to on the CSE's download page.
And yes, you will need to manage those settings using Vista, SP1 with
RSAT/GPMC or from a 2008 box with GPMC.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Thursday, May 29, 2008 11:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Darren,
thank you very much for your follow up.
I've just heard of Group Policy Preferences
is it possible to install it on
Win2003 AD Environment where all clients are Windows XP (I've seen there's
update KB943729 for 2003/XP)?.
I think it's possible as long as I use a Windows Vista with RSAT to manage
them, am I correct?
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: giovedì 29 maggio 2008 21.43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Gabriele-
I apologize on the delay in response on this. Bottom lineI was wrong about
Listbox ExplicitValue. Essentially what I was seeing is a unique behavior in
ADM. What MS did with the Site to Zone Assignment List is that they
implement a separate Client Side Extension, call IE Zonemapping, that reads
out of the policy file created by the ADM, and using that to create the
separate keys under that Domains key. So, it does not look like there is a
way of doing this in ADM. I tried mucking with an ADM to trick it into using
that same Client Side Extension but making the change to the regular IE keys
you have below, but it wasn't fooled J. Bummer.
Here's another optionif you have Group Policy Preferences installed in your
environment, you can use the Registry extension to do this!
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, May 27, 2008 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Ops sorry! I meant doing an ADM under the non-policy key
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains].
So you're saying that with ListBox/Explicit I would be able to control the
creation of subkeys and achieve the following, that is "*.mycorpdomain1.com
<http://mycorpdomain1.com/> ", "*.mycorpdomain2.com
<http://mycorpdomain2.com/> ", "*.mycorpdomain3.com
<http://mycorpdomain3.com/> "?
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mycorpdomain1.com <http://mycorpdomain1.com/> ]
"*"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mycorpdomain2.com <http://mycorpdomain2.com/> ]
"*"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\mycorpdomain3.com <http://mycorpdomain3.com/> ]
"*"=dword:00000001
Thanks Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: martedì 27 maggio 2008 6.26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Gabriele-
When I tested this on my Vista system I noticed that IE 7 would show a
message within the Security page that indicated that "some settings were
controlled by the administrator" when the policy was enabled, even though it
did not show a change in zone security, which is rather odd. I would say
test it to ensure that domain.com <http://domain.com/> is truly exhibiting
Low security behavior, but you are using the correct policies.
And yes, the locking out of zones is a function of using the Admin. Template
approach to site to zone assignments. If you use IEM, then users can still
optionally add their own, but that has its own challenges.
As for doing a custom ADM, you can certainly do this but if you do it under
the same reg key as ADM templates, you will still exhibit the locked down
behavior. If you were doing a custom ADM, you would have to do it outside of
the policy keys, in the normal IE configuration keys. And, there is a way to
create a reg keythis is done automatically using ListBox Explicit Part
types in ADM syntax.
Darren
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, May 26, 2008 6:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Manage IE with GPO
I've always done my best to keep away from managing IE with GPO, but this
time I have to. L
To make sure some "new" corporate applications work, I've been asked to
simply add "*.domain.com <http://domain.com/> " suffix to the Intranet Zone
and set to the security level for that zone to Low.
In the past I tried to use IEM, but it is a bummer. This time, I've just set
the following settings in the GPO:
- Computer Configuration\Administrative Templates\Windows
Components\Internet Explorer\Internet Control Panel\Security Page\Intranet
Zone Template\Enabled Low
- Computer Configuration\Administrative Templates\ Windows
Components\Internet Explorer\Internet Control Panel\Security Page\Site to
Zone Assignment List\Value Name: *.domain.com <http://domain.com/> , Value:1
Is this correct? I am asking this because I don't see the zone security
level reflected in the Tools/Options/Security pane.
Also I noticed that since the GPO is applied, the user can't edit ANY Zone
Site definition (e.g. add or remove sites in the Trusted Sites zone).
I thought about creating an ADM to add "*.domain.com <http://domain.com/> "
suffix to the Intranet Zone, but I see that IE creates a site entry as a
_SUBKEY_ of
[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains], so I can't think of a smart way of doing an ADM.
As I supposed
I'm lost with GPOing IE! L
Any help would be much appreciated.
Thanks Gabriele.
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server System - Directory Services
https://mvp.support.microsoft.com/profile/laura
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_
(http://tinyurl.com/z7svl)
| | | |
| darren
Posts:168
| | 07/16/2008 7:03 PM |
| Al-
I was referring to this bad boy:
http://www.vinsvision.com/Articles/tabid/66/EntryID/15/Default.aspx
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Sunday, June 01, 2008 1:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
MSI Wrapper utility? Orca? Or were you thinking of something else that might be easier to use?
On Fri, May 30, 2008 at 4:23 PM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
Yep. There are a couple of "workarounds" for this. There is the MSI wrapper approach (there's a utility out that that will do that for you). There's also the GP startup script approach—see the following blog post:
http://heidelbergit.blogspot.com/2008/03/how-to-install-gpp-cses-using-startup.html
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, May 30, 2008 1:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
Ain't it possible to create an MSI wrapper that runs a silent update installation?
(Windows-en-US-KB943729-x86.exe /quiet and WindowsXP-KB915865-v11-x86-ENU.exe /quite)
Regards – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: venerdì 30 maggio 2008 16.43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
Laura-
Good question. Sadly, I'm not a WSUS guy so I'm not sure of what its capable of, but the XMLLite package is bundled like a hotfix and in fact there is no MSI that I see for it. This means using GP to push it might be cumbersome unless you repackage it. Actually, same holds true for the GP Preferences CSE installs as well. None of them were packaged in MSI to allow easy deployment via GP..ironically. I heard a rumor that that may be fixed but as of yet, I've not seen it.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Laura E. Hunter
Sent: Friday, May 30, 2008 7:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
Darren,
On a related note - have you found it to be true that XMLLite can't be pushed to clients via WSUS? I've been digging around to see if I'm just missing something obvious, or if I'll need to do a GP deployment of the XMLLite MSI before I can push out the CSE's out en masse.
- Laura
On Fri, May 30, 2008 at 10:08 AM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
Gabriele-
You are correct. You need to install the XP and/or 2003 Client Side Extension install package(s) for GP Preferences and also a related package called XMLLite, that you will find a link to on the CSE's download page.
And yes, you will need to manage those settings using Vista, SP1 with RSAT/GPMC or from a 2008 box with GPMC.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Thursday, May 29, 2008 11:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Darren,
thank you very much for your follow up.
I've just heard of Group Policy Preferences… is it possible to install it on Win2003 AD Environment where all clients are Windows XP (I've seen there's update KB943729 for 2003/XP)?.
I think it's possible as long as I use a Windows Vista with RSAT to manage them, am I correct?
Thanks – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: giovedì 29 maggio 2008 21.43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Gabriele-
I apologize on the delay in response on this. Bottom line—I was wrong about Listbox ExplicitValue. Essentially what I was seeing is a unique behavior in ADM. What MS did with the Site to Zone Assignment List is that they implement a separate Client Side Extension, call IE Zonemapping, that reads out of the policy file created by the ADM, and using that to create the separate keys under that Domains key. So, it does not look like there is a way of doing this in ADM. I tried mucking with an ADM to trick it into using that same Client Side Extension but making the change to the regular IE keys you have below, but it wasn't fooled J. Bummer.
Here's another option—if you have Group Policy Preferences installed in your environment, you can use the Registry extension to do this!
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, May 27, 2008 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Ops sorry! I meant doing an ADM under the non-policy key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains].
So you're saying that with ListBox/Explicit I would be able to control the creation of subkeys and achieve the following, that is "*.mycorpdomain1.com <http://mycorpdomain1.com/> ", "*.mycorpdomain2.com <http://mycorpdomain2.com/> ", "*.mycorpdomain3.com <http://mycorpdomain3.com/> "?
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mycorpdomain1.com <http://mycorpdomain1.com/> ]
"*"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mycorpdomain2.com <http://mycorpdomain2.com/> ]
"*"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mycorpdomain3.com <http://mycorpdomain3.com/> ]
"*"=dword:00000001
Thanks – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: martedì 27 maggio 2008 6.26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Gabriele-
When I tested this on my Vista system I noticed that IE 7 would show a message within the Security page that indicated that "some settings were controlled by the administrator" when the policy was enabled, even though it did not show a change in zone security, which is rather odd. I would say test it to ensure that domain.com <http://domain.com/> is truly exhibiting Low security behavior, but you are using the correct policies.
And yes, the locking out of zones is a function of using the Admin. Template approach to site to zone assignments. If you use IEM, then users can still optionally add their own, but that has its own challenges.
As for doing a custom ADM, you can certainly do this but if you do it under the same reg key as ADM templates, you will still exhibit the locked down behavior. If you were doing a custom ADM, you would have to do it outside of the policy keys, in the normal IE configuration keys. And, there is a way to create a reg key—this is done automatically using ListBox Explicit Part types in ADM syntax.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Monday, May 26, 2008 6:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Manage IE with GPO
I've always done my best to keep away from managing IE with GPO, but this time I have to. L
To make sure some "new" corporate applications work, I've been asked to simply add "*.domain.com <http://domain.com/> " suffix to the Intranet Zone and set to the security level for that zone to Low.
In the past I tried to use IEM, but it is a bummer. This time, I've just set the following settings in the GPO:
- Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone Template\Enabled – Low
- Computer Configuration\Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List\Value Name: *.domain.com <http://domain.com/> , Value:1
Is this correct? I am asking this because I don't see the zone security level reflected in the Tools/Options/Security pane.
Also I noticed that since the GPO is applied, the user can't edit ANY Zone Site definition (e.g. add or remove sites in the Trusted Sites zone).
I thought about creating an ADM to add "*.domain.com <http://domain.com/> " suffix to the Intranet Zone, but I see that IE creates a site entry as a _SUBKEY_ of [HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains], so I can't think of a smart way of doing an ADM.
As I supposed… I'm lost with GPOing IE! L
Any help would be much appreciated.
Thanks – Gabriele.
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server System - Directory Services
https://mvp.support.microsoft.com/profile/laura
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
| | | |
| CrawfordS
Posts:46
| | 07/16/2008 7:03 PM |
| I've seen that or other similar solutions in the past, but have always opted for repackaging instead. What are your thoughts on the pros/cons of each. My main concern is that wiww seems like a hack, but if its reliable, it sure would nice.
Are they doing anything special that couldn't be done munally just using Orcas?
-----Original Message-----
From: "Darren Mar-Elia" <darren@sdmsoftware.com>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 6/1/08 10:57 PM
Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
Al-
I was referring to this bad boy:
http://www.vinsvision.com/Articles/tabid/66/EntryID/15/Default.aspx
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Sunday, June 01, 2008 1:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
MSI Wrapper utility? Orca? Or were you thinking of something else that might be easier to use?
On Fri, May 30, 2008 at 4:23 PM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
Yep. There are a couple of "workarounds" for this. There is the MSI wrapper approach (there's a utility out that that will do that for you). There's also the GP startup script approach—see the following blog post:
http://heidelbergit.blogspot.com/2008/03/how-to-install-gpp-cses-using-startup.html
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, May 30, 2008 1:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
Ain't it possible to create an MSI wrapper that runs a silent update installation?
(Windows-en-US-KB943729-x86.exe /quiet and WindowsXP-KB915865-v11-x86-ENU.exe /quite)
Regards – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: venerdì 30 maggio 2008 16.43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
Laura-
Good question. Sadly, I'm not a WSUS guy so I'm not sure of what its capable of, but the XMLLite package is bundled like a hotfix and in fact there is no MSI that I see for it. This means using GP to push it might be cumbersome unless you repackage it. Actually, same holds true for the GP Preferences CSE installs as well. None of them were packaged in MSI to allow easy deployment via GP..ironically. I heard a rumor that that may be fixed but as of yet, I've not seen it.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Laura E. Hunter
Sent: Friday, May 30, 2008 7:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE with GPO]
Darren,
On a related note - have you found it to be true that XMLLite can't be pushed to clients via WSUS? I've been digging around to see if I'm just missing something obvious, or if I'll need to do a GP deployment of the XMLLite MSI before I can push out the CSE's out en masse.
- Laura
On Fri, May 30, 2008 at 10:08 AM, Darren Mar-Elia <darren@sdmsoftware.com> wrote:
Gabriele-
You are correct. You need to install the XP and/or 2003 Client Side Extension install package(s) for GP Preferences and also a related package called XMLLite, that you will find a link to on the CSE's download page.
And yes, you will need to manage those settings using Vista, SP1 with RSAT/GPMC or from a 2008 box with GPMC.
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Thursday, May 29, 2008 11:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Darren,
thank you very much for your follow up.
I've just heard of Group Policy Preferences… is it possible to install it on Win2003 AD Environment where all clients are Windows XP (I've seen there's update KB943729 for 2003/XP)?.
I think it's possible as long as I use a Windows Vista with RSAT to manage them, am I correct?
Thanks – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
Sent: giovedì 29 maggio 2008 21.43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Manage IE with GPO
Gabriele-
I apologize on the delay in response on this. Bottom line—I was wrong about Listbox ExplicitValue. Essentially what I was seeing is a unique behavior in ADM. What MS did with the Site to Zone Assignment List is that they implement a separate Client Side Extension, call IE Zonemapping, that reads out of the policy file created by the ADM, and using that to create the separate keys under that Domains key. So, it does not look like there is a way of doing this in ADM. I tried mucking with an ADM to trick it into using that same Client Side Extension but making the change to the regular IE keys you have below, but it wasn't fooled J. Bummer.
Here's another option—if you have Group Policy Preferences installed in your environment, you can use the Registry extension to do this!
Darren
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, May 27, 2008 5:27
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:159
| | 07/16/2008 7:12 PM |
| I've used the tool Darren cited since a while and never had problems, I recall I used that tool also to distributed IE6 with IEAK via GPO because motherMS did not release any MSI for IE! (Don't know about IE7 as I used WSUS to deploy it).
If you browse the MSI wrapper tables with ORCA (or other tool), you will see that there's nothing magic created by WIWW, it's just quicker.
Regards - Gabriele
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Crawford, Scott
> Sent: lunedì 2 giugno 2008 7.29
> To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> Manage IE with GPO]
>
> I've seen that or other similar solutions in the past, but have always
> opted for repackaging instead. What are your thoughts on the pros/cons
> of each. My main concern is that wiww seems like a hack, but if its
> reliable, it sure would nice.
>
> Are they doing anything special that couldn't be done munally just
> using Orcas?
>
> -----Original Message-----
> From: "Darren Mar-Elia" <darren@sdmsoftware.com>
> To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
> Sent: 6/1/08 10:57 PM
> Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> Manage IE with GPO]
>
> Al-
>
> I was referring to this bad boy:
>
>
>
> http://www.vinsvision.com/Articles/tabid/66/EntryID/15/Default.aspx
>
>
>
> Darren
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Al Mulnick
> Sent: Sunday, June 01, 2008 1:48 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> Manage IE with GPO]
>
>
>
> MSI Wrapper utility? Orca? Or were you thinking of something else
> that might be easier to use?
>
> On Fri, May 30, 2008 at 4:23 PM, Darren Mar-Elia
> <darren@sdmsoftware.com> wrote:
>
> Yep. There are a couple of "workarounds" for this. There is the MSI
> wrapper approach (there's a utility out that that will do that for
> you). There's also the GP startup script approach—see the following
> blog post:
>
>
>
> http://heidelbergit.blogspot.com/2008/03/how-to-install-gpp-cses-using-
> startup.html
>
>
>
>
>
> Darren
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Friday, May 30, 2008 1:11 PM
>
>
> To: ActiveDir@mail.activedir.org
>
> Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> Manage IE with GPO]
>
>
>
> Ain't it possible to create an MSI wrapper that runs a silent update
> installation?
>
> (Windows-en-US-KB943729-x86.exe /quiet and WindowsXP-KB915865-v11-
> x86-ENU.exe /quite)
>
>
>
> Regards – Gabriele.
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: venerdì 30 maggio 2008 16.43
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> Manage IE with GPO]
>
>
>
> Laura-
>
> Good question. Sadly, I'm not a WSUS guy so I'm not sure of what its
> capable of, but the XMLLite package is bundled like a hotfix and in
> fact there is no MSI that I see for it. This means using GP to push it
> might be cumbersome unless you repackage it. Actually, same holds true
> for the GP Preferences CSE installs as well. None of them were packaged
> in MSI to allow easy deployment via GP..ironically. I heard a rumor
> that that may be fixed but as of yet, I've not seen it.
>
>
>
> Darren
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> Sent: Friday, May 30, 2008 7:32 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage IE
> with GPO]
>
>
>
> Darren,
>
>
>
> On a related note - have you found it to be true that XMLLite can't be
> pushed to clients via WSUS? I've been digging around to see if I'm
> just missing something obvious, or if I'll need to do a GP deployment
> of the XMLLite MSI before I can push out the CSE's out en masse.
>
>
>
> - Laura
>
> On Fri, May 30, 2008 at 10:08 AM, Darren Mar-Elia
> <darren@sdmsoftware.com> wrote:
>
> Gabriele-
>
> You are correct. You need to install the XP and/or 2003 Client Side
> Extension install package(s) for GP Preferences and also a related
> package called XMLLite, that you will find a link to on the CSE's
> download page.
>
>
>
> And yes, you will need to manage those settings using Vista, SP1 with
> RSAT/GPMC or from a 2008 box with GPMC.
>
>
>
> Darren
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Thursday, May 29, 2008 11:36 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Manage IE with GPO
>
>
>
> Darren,
>
>
>
> thank you very much for your follow up.
>
>
>
> I've just heard of Group Policy Preferences… is it possible to install
> it on Win2003 AD Environment where all clients are Windows XP (I've
> seen there's update KB943729 for 2003/XP)?.
>
> I think it's possible as long as I use a Windows Vista with RSAT to
> manage them, am I correct?
>
>
>
> Thanks – Gabriele.
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> Sent: giovedì 29 maggio 2008 21.43
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Manage IE with GPO
>
>
>
> Gabriele-
>
> I apologize on the delay in response on this. Bottom line—I was wrong
> about Listbox ExplicitValue. Essentially what I was seeing is a unique
> behavior in ADM. What MS did with the Site to Zone Assignment List is
> that they implement a separate Client Side Extension, call IE
> Zonemapping, that reads out of the policy file created by the ADM, and
> using that to create the separate keys under that Domains key. So, it
> does not look like there is a way of doing this in ADM. I tried mucking
> with an ADM to trick it into using that same Client Side Extension but
> making the change to the regular IE keys you have below, but it wasn't
> fooled J. Bummer.
>
>
>
> Here's another option—if you have Group Policy Preferences installed in
> your environment, you can use the Registry extension to do this!
>
>
>
>
>
> Darren
>
>
>
>
>
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Tuesday, May 27, 2008 5:27
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:159
| | 07/16/2008 7:20 PM |
| Dan thanks for your inputs.
When I said "...because even if you put a InstalledYes/No check..." I exactly meant the case 1) you explained, the script is anyway executed at startup but it exits if a certain condition is met (Installed=True).
Even though all your points are valid, I personally do prefer MSI wrapping simply because I wanna have a single GPO approach for SWDist (that is "Computer Configuration\Software Settings\Software Installation" node for any installation package).
Following your case 2) it would be also needed for each non-MSI app (=scripted installation) to ACL GPO_DeployThisApp security group to allow itself to change its membership (assuming the script is runned in the machine account context, correct me if I am wrong).
To the end I would have some installations that are done with (native) MSI + SWDistGPO and some other installations that are done with scripts + startup-scriptsGPO that requires secuirity group ACL change to enable the "Self-filtering" feature.
Well, for my experience mixing and matching is not good and I am really a paranoid of the no-exception principle! :-)
Thus I prefer to stay with MSINative+SWDistGPO and MSIWrapper(+Script)+SWDistGPO.
Just a personal view point.
Regards - Gabriele.
PS= I've just re-read my script, but I am not sure I was able to properly explain my idea! :-(
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Dan Holme
> Sent: martedì 3 giugno 2008 3.42
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> Manage IE with GPO]
>
> ... a "pure" scripted installation via GPO startup script ... is
> executed at each startup.
> Not if you do it correctly.
>
> You are correct that one should avoid having such a startup script-
> based deployment run at each startup. Absolutely.
>
> Two ways to achieve it:
>
> 1) The script checks for a "flag" as the first task of the script (some
> marker that indicates the software was already successfully installed)
> Or
> 2) Self-filtering GPOs. The basic idea here is that you have a group
> (e.g. GPO_DeployThisApp) that is used to filter the application of a
> GPO which executes the 'scripted installation.' As the last step of
> the script, the computer removes itself from the group, ensuring the
> GPO is never again applied. For details, see my articles on Windows IT
> Pro magazine or the Windows Administration Resource Kit.
>
> <two cents>
>
> I completely agree that repackaging and 'wrapping' is not my
> recommendation. If an MSI is not provided, I prefer a scripted
> installation (with a startup script) so that I'm in full compliance
> with the vendor's automated installation guidance. I've got it down to
> such an art that I can deploy a new non-MSI app (say, Office 2007) in
> seconds... much easier than repackaging.
>
> Because (as you mention) you lose so much MSI functionality by
> 'wrapping', I don't really see the point in doing so.
>
> </two cents>
>
> Dan
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> Sent: Monday, June 02, 2008 3:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> Manage IE with GPO]
>
> Darren, although an MSI wrapper is just a "dirty trick" to allow
> deployment via GPO, I do not totally agree that repackaging is a better
> solution, I mean it's not _always_ better.
>
> There are some cases where repackaging is explicitly not supported by
> the vendor (e.g. SAP GUI, they have a tech note about that) and so it's
> preferably to create an MSI wrapper that just run a "supported"
> scripted installation (and uninstallation as well, of course).
> Also it would not be a good idea to repackage OS components such as IE
> or hot-fixes because you may experience bad problems with the WFP
> feature.
>
> Of course with MSI-wrappers you say "bye bye" to many MSI (Windows
> Installer) features such as transforms or auto-repair, but also
> repackaging has its own big challenges - some time ago I experienced
> Admin Studio a bit, nice tool, but each time I repackaged a software I
> had a bad sense of uncertainty, I was never sure my repacked MSI had
> all the installation logic originally intended by the developer such as
> version and dependency checking of existing components, etc...
>
> So my idea is that if I use a very raw deployment tool like GPO SWDist
> (that means the target is a small shop), it's not worth to get mad with
> complex repackaging, I prefer to go with MSI wrapper (=supported
> scripted installation) for those "lousy" vendors (Ops! Developers,
> forgive me for that adjective!!!) who make programs for Windows BUT do
> not release them with native MSI.
> Fortunately today the majority of "Well-Known" Enterprise applications
> are shipped with native MSI package (uh! Isscript.msi is another bad
> story for GPO SWDist!).
> Also a "pure" scripted installation via GPO startup script - like the
> link you posted - is not something that I like that much, because even
> if you put a InstalledYes/No check, the script is executed anyway at
> each startup.
>
> Regards - Gabriele.
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: lunedì 2 giugno 2008 15.37
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> > Manage IE with GPO]
> >
> > Scott-
> > No, I don't think it is doing anything that you couldn't do with Orca
> -
> > -just making it simpler. I agree with you that, if you have the time
> > and skillset, repackaging is probably a better solution. This is more
> > just a quick and dirty way to get some setups to work in an MSI
> world.
> >
> > Darren
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Crawford, Scott
> > Sent: Sunday, June 01, 2008 10:29 PM
> > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> > Manage IE with GPO]
> >
> > I've seen that or other similar solutions in the past, but have
> always
> > opted for repackaging instead. What are your thoughts on the
> pros/cons
> > of each. My main concern is that wiww seems like a hack, but if its
> > reliable, it sure would nice.
> >
> > Are they doing anything special that couldn't be done munally just
> > using Orcas?
> >
> > -----Original Message-----
> > From: "Darren Mar-Elia" <darren@sdmsoftware.com>
> > To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
> > Sent: 6/1/08 10:57 PM
> > Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> > Manage IE with GPO]
> >
> > Al-
> >
> > I was referring to this bad boy:
> >
> >
> >
> > http://www.vinsvision.com/Articles/tabid/66/EntryID/15/Default.aspx
> >
> >
> >
> > Darren
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Al Mulnick
> > Sent: Sunday, June 01, 2008 1:48 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> > Manage IE with GPO]
> >
> >
> >
> > MSI Wrapper utility? Orca? Or were you thinking of something else
> > that might be easier to use?
> >
> > On Fri, May 30, 2008 at 4:23 PM, Darren Mar-Elia
> > <darren@sdmsoftware.com> wrote:
> >
> > Yep. There are a couple of "workarounds" for this. There is the MSI
> > wrapper approach (there's a utility out that that will do that for
> > you). There's also the GP startup script approach—see the following
> > blog post:
> >
> >
> >
> > http://heidelbergit.blogspot.com/2008/03/how-to-install-gpp-cses-
> using-
> > startup.html
> >
> >
> >
> >
> >
> > Darren
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> > Sent: Friday, May 30, 2008 1:11 PM
> >
> >
> > To: ActiveDir@mail.activedir.org
> >
> > Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> > Manage IE with GPO]
> >
> >
> >
> > Ain't it possible to create an MSI wrapper that runs a silent update
> > installation?
> >
> > (Windows-en-US-KB943729-x86.exe /quiet and WindowsXP-KB915865-v11-
> > x86-ENU.exe /quite)
> >
> >
> >
> > Regards – Gabriele.
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: venerdì 30 maggio 2008 16.43
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS:
> > Manage IE with GPO]
> >
> >
> >
> > Laura-
> >
> > Good question. Sadly, I'm not a WSUS guy so I'm not sure of what its
> > capable of, but the XMLLite package is bundled like a hotfix and in
> > fact there is no MSI that I see for it. This means using GP to push
> it
> > might be cumbersome unless you repackage it. Actually, same holds
> true
> > for the GP Preferences CSE installs as well. None of them were
> packaged
> > in MSI to allow easy deployment via GP..ironically. I heard a rumor
> > that that may be fixed but as of yet, I've not seen it.
> >
> >
> >
> > Darren
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> > Sent: Friday, May 30, 2008 7:32 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] [Slightly OT:] Deploying GPP CSE's [WAS: Manage
> IE
> > with GPO]
> >
> >
> >
> > Darren,
> >
> >
> >
> > On a related note - have you found it to be true that XMLLite can't
> be
> > pushed to clients via WSUS? I've been digging around to see if I'm
> > just missing something obvious, or if I'll need to do a GP deployment
> > of the XMLLite MSI before I can push out the CSE's out en masse.
> >
> >
> >
> > - Laura
> >
> > On Fri, May 30, 2008 at 10:08 AM, Darren Mar-Elia
> > <darren@sdmsoftware.com> wrote:
> >
> > Gabriele-
> >
> > You are correct. You need to install the XP and/or 2003 Client Side
> > Extension install package(s) for GP Preferences and also a related
> > package called XMLLite, that you will find a link to on the CSE's
> > download page.
> >
> >
> >
> > And yes, you will need to manage those settings using Vista, SP1 with
> > RSAT/GPMC or from a 2008 box with GPMC.
> >
> >
> >
> > Darren
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> > Sent: Thursday, May 29, 2008 11:36 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Manage IE with GPO
> >
> >
> >
> > Darren,
> >
> >
> >
> > thank you very much for your follow up.
> >
> >
> >
> > I've just heard of Group Policy Preferences… is it possible to
> install
> > it on Win2003 AD Environment where all clients are Windows XP (I've
> > seen there's update KB943729 for 2003/XP)?.
> >
> > I think it's possible as long as I use a Windows Vista with RSAT to
> > manage them, am I correct?
> >
> >
> >
> > Thanks – Gabriele.
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Darren Mar-Elia
> > Sent: giovedì 29 maggio 2008 21.43
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] Manage IE with GPO
> >
> >
> >
> > Gabriele-
> >
> > I apologize on the delay in response on this. Bottom line—I was wrong
> > about Listbox ExplicitValue. Essentially what I was seeing is a
> unique
> > behavior in ADM. What MS did with the Site to Zone Assignment List is
> > that they implement a separate Client Side Extension, call IE
> > Zonemapping, that reads out of the policy file created by the ADM,
> and
> > using that to create the separate keys under that Domains key. So, it
> > does not look like there is a way of doing this in ADM. I tried
> mucking
> > with an ADM to trick it into using that same Client Side Extension
> but
> > making the change to the regular IE keys you have below, but it
> wasn't
> > fooled J. Bummer.
> >
> >
> >
> > Here's another option—if you have Group Policy Preferences installed
> in
> > your environment, you can use the Registry extension to do this!
> >
> >
> >
> >
> >
> > Darren
> >
> >
> >
> >
> >
> > From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> > owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
> > Sent: Tuesday, May 27, 2008 5:27
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> .+-�w��i��0��-
> �����+���֬����@B�m�������+�v*��ˊ�E������֫r��z�m�������+�v*���k�^}����)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|