Friday, March 16, 2012

Assigning Trusted sites in IE via group policy preferences

Assigning sites to a user's trusted sites has always been a thorn in my side, mostly because the process for using group policies was such a pain... creating a blank profile, setting it up right, exporting it, blah blah... and to top it all off, assigning a policy prevented the user from adding any more sites to their trusted sites, making the policy settings more of a hinderance than a help.

Group policy preferences greatly enhances this process by 'adding' sites rather than enforcing only your selections. Here's a process I found off of a microsoft forum post:


1. First off create the registry entries manually, as shown below, on a reference machine. I've done this on the local machine where i need the keys to be added for all users. NOTE: The reference machine does not need to be where the keys have to be located.Manual Creation Steps:

a. launch regedit and go to: hkcu/software/microsoft/windows/currentversion/internet settings/zonemap/domains/

b.create a new key called microsoft.com. In the new key create a reg_dword(32) value called * and change the data to 2 hex.

c. repeat for any other domains the need to be trusted2. launch group policy management (again i did this from the machine where i need the keys but it is not required)

3. go to your GPO and select edit.

4. go to user preferences / windows settings / registry

5. right click registry / new / registry wizard

6. select local computer if you are on the computer where you created the reg entries and are running the GPO management gui. Otherwise choose another computer and select the reference machine from step 1.

7. the wizard will guide you through choosing the required entries, check off all required items. These entries are the ones created in step 1.

Location: hkcu/software/microsoft/windows/currentversion/internet settings/zonemap/domains//


8. Click Finish

9. You can then go back to this GPO preference and select its properties and utilize client side targeting if only certain AD groups need the values.

10. perform a replication to all DC's then a GP update /force on the machines in question; you will be asked to log out for the preferences to take. (or reboot)

2 comments:

  1. Is there a way to clear out this list first and then apply it?
    Would that be just doing a "Delete" on the whole key, ordered first in the preference order before adding the sites?

    ReplyDelete