Custom ADM not resetting value

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I made a custom ADM file to turn on a setting in IE6. I imported it into a
test GPO and marked the setting as "enabled". I'm trying to test this on a
machine and the first time the user logs in the setting is "enabled" like it
should be. However if the user disables the setting in IE the GPO never
puts the GPO setting back. Isn't the GPO supposed to reverse the setting to
enabled? I've been unable to get the GPO to change the setting back after
the user changes it. Below is the ADM file.

CLASS USER
CATEGORY !!InternetExplorer
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
POLICY !!EnableAuth
EXPLAIN !!EnableAuth_Explain
VALUENAME "EnableNegotiate"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY

[strings]
EnableAuth="Enable Integrated Windows Authentication"
EnableAuth_Explain="Turns on Integrated Windows Authentication in IE6 under
Advanced Options"
InternetExplorer="Internet Explorer Settings"

Any help is greatly appreciated.

Mike

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Mike-
GPO settings of any kind are not refreshed unless the GPO itself has
changed. That is default behavior, which is why you are seeing what you are.
If you want to force Admin Template settings in particular to be refreshed
during every foreground and background interval, you can set a policy that
gets processed by the target machines to do this. Keep in mind that this
adds some overhead to the GPO processing process, since all ADM settings
will be refreshed each time the machine starts up, the user logs on or
during background refresh, which is every 90 minutes +- for workstations and
member servers and every 5 minutes +-on DCs. The policy to enable this is
under:

Computer Configuration\Administrative Templates\System\Group Policy\Registry
policy processing

Just check the "Process even if the GPO objects have not changed" option.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Mike Celone" <mike.spamfree.celone@rfsmaspworld.com> wrote in message
news:uUv3gTTXEHA.1356@TK2MSFTNGP09.phx.gbl...
> I made a custom ADM file to turn on a setting in IE6. I imported it into
a
> test GPO and marked the setting as "enabled". I'm trying to test this on
a
> machine and the first time the user logs in the setting is "enabled" like
it
> should be. However if the user disables the setting in IE the GPO never
> puts the GPO setting back. Isn't the GPO supposed to reverse the setting
to
> enabled? I've been unable to get the GPO to change the setting back after
> the user changes it. Below is the ADM file.
>
> CLASS USER
> CATEGORY !!InternetExplorer
> KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
> POLICY !!EnableAuth
> EXPLAIN !!EnableAuth_Explain
> VALUENAME "EnableNegotiate"
> VALUEON NUMERIC 1
> VALUEOFF NUMERIC 0
> END POLICY
> END CATEGORY
>
> [strings]
> EnableAuth="Enable Integrated Windows Authentication"
> EnableAuth_Explain="Turns on Integrated Windows Authentication in IE6
under
> Advanced Options"
> InternetExplorer="Internet Explorer Settings"
>
> Any help is greatly appreciated.
>
> Mike
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Darren. We are only doing this for this one GPO so the impact should
be minimal. Thanks!

Mike

"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:%23QZNMxTXEHA.3168@TK2MSFTNGP10.phx.gbl...
> Mike-
> GPO settings of any kind are not refreshed unless the GPO itself has
> changed. That is default behavior, which is why you are seeing what you
are.
> If you want to force Admin Template settings in particular to be refreshed
> during every foreground and background interval, you can set a policy that
> gets processed by the target machines to do this. Keep in mind that this
> adds some overhead to the GPO processing process, since all ADM settings
> will be refreshed each time the machine starts up, the user logs on or
> during background refresh, which is every 90 minutes +- for workstations
and
> member servers and every 5 minutes +-on DCs. The policy to enable this is
> under:
>
> Computer Configuration\Administrative Templates\System\Group
Policy\Registry
> policy processing
>
> Just check the "Process even if the GPO objects have not changed" option.
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Management
> http://www.gpoguy.com
>
>
>
> "Mike Celone" <mike.spamfree.celone@rfsmaspworld.com> wrote in message
> news:uUv3gTTXEHA.1356@TK2MSFTNGP09.phx.gbl...
> > I made a custom ADM file to turn on a setting in IE6. I imported it
into
> a
> > test GPO and marked the setting as "enabled". I'm trying to test this
on
> a
> > machine and the first time the user logs in the setting is "enabled"
like
> it
> > should be. However if the user disables the setting in IE the GPO never
> > puts the GPO setting back. Isn't the GPO supposed to reverse the
setting
> to
> > enabled? I've been unable to get the GPO to change the setting back
after
> > the user changes it. Below is the ADM file.
> >
> > CLASS USER
> > CATEGORY !!InternetExplorer
> > KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
> > POLICY !!EnableAuth
> > EXPLAIN !!EnableAuth_Explain
> > VALUENAME "EnableNegotiate"
> > VALUEON NUMERIC 1
> > VALUEOFF NUMERIC 0
> > END POLICY
> > END CATEGORY
> >
> > [strings]
> > EnableAuth="Enable Integrated Windows Authentication"
> > EnableAuth_Explain="Turns on Integrated Windows Authentication in IE6
> under
> > Advanced Options"
> > InternetExplorer="Internet Explorer Settings"
> >
> > Any help is greatly appreciated.
> >
> > Mike
> >
> >
>
>