locked
how to block inheritance to default policy RRS feed

  • Question

  • i would like to block one user from the default policy,  please assist

    thanks


    Rob Davis
    • Moved by Mike Walsh FIN Friday, February 12, 2010 4:53 PM admin q (From:SharePoint - Development and Programming (pre-SharePoint 2010))
    Friday, February 12, 2010 2:41 PM

Answers

  • Modifying the default GPO is a drag beyond the requirements for all users such as security settings and shouldnt be blocked even for Admins. If IE changes need to be made create two GPOs for the different groups and the IE settings and remove the IE settings in the default GPO after you have applied the new GPOs. You are correct the ie.adm is setup to have one HomePage.. 

    To Create the IE Home Page GPOs

    // Using the Administrative Tools
    Open GPO Managment from administrative tools > right click on your domain > Create a GPO in this domain, and link it here > Name the GPO IE-YourExtension so you know the purpose of the GPO >

    // Edit GPO to include new Home Page
    Right Click on your new GPO and choose Edit > Choose User Configuration > Windows settings > Internet Explorer Maintenance > URLs > Important URLs > Customize Home Page URL > Enter your new Home Page URL > Click OK > Click the X oin the Top Right of the Page and Close the Managment Editor

    // Modify the Scope of how where the GPO is applied
    Click on Group Policy Objects > Click on your new GPO > Chose Scope Add > Enter the Group or Users that should have the GPO applied > Remove the Authenticated Users

    // QA the GPO
    Right Click on GPO Modeling > GPO Modeling Wizard > Next > Choose your Domain, Next > Choose a User on whom the Scope has been applied, Click CheckBox to Skip to the final Page, Next > Next > Finish > Show All > Has the GPO been applied, if yes go to settings >  Show All > you should see the Home Page URL...


    Repeat the above stpes for the other home page, then login as a test user and open IE to see the results...


    Note the above steps are complete when using Windows server 2008 R2 and may varey slightly if deployed on a different OS........


    -Ivan

    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    • Marked as answer by Lu Zou-MSFT Friday, February 19, 2010 5:35 AM
    Thursday, February 18, 2010 7:36 PM

All replies

  • Please provide a little more information... Like what are your default policies how are they configured (what AD Groups are assigned to what SharePoint groups)


    -Ivan
    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    Saturday, February 13, 2010 11:45 PM
  • Hi davisr65,

    Have you found the solution for this issue? If not, just as Ivan said please provide more detailed information for us to help you.
    Did you mean "Policy for web application" in the central administration when you mentioned default policy in your last post?


    Lu Zou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

    Monday, February 15, 2010 2:13 AM
  • sorry bout the generalities... .. In our organization, in Group Policy Management Console, the Default Group Policy had been edited to force all authenticated users to default to our home page in Internet Explorer...  with this policy change, i am unable to set a secondary default home page... two things i need to do, 1. edit the existing policy to add a second default page for all users, when they open IE,  Which the policy works fine currently  with the one page defaulting....   and 2. block inheritance for systems administrators to recieving the policy


    i did go into the Default policy, and added a second page, and ran gpupdate on my computer , but it didnt take...  the location in GPMC is ...
    Default Domain Policy\User Configuration\Policies\Windows\Internet Explorer Maintenance\URLS\Important URLS\ then in the dialog, i typed in the default web page... i tried a semicolon, then another page following the first. , also tried a comma to separate the default pages..  It only displays the one page.. should i be editing a different location in the GPMC?...


    Rob Davis
    Thursday, February 18, 2010 1:58 PM
  • As you have configured the policy to have a default page and you do not want a group in particular to have the same policy, you can use group policy filter.
    which is nothing but setting Read deny on that particular policy to that group.
    Article below shows this step by step in detail. This should help:
    http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
    I LOVE MS..... Thanks and Regards, Kshitiz (Posting is provided "AS IS" with no warranties, and confers no rights.)
    Thursday, February 18, 2010 2:13 PM
  • Modifying the default GPO is a drag beyond the requirements for all users such as security settings and shouldnt be blocked even for Admins. If IE changes need to be made create two GPOs for the different groups and the IE settings and remove the IE settings in the default GPO after you have applied the new GPOs. You are correct the ie.adm is setup to have one HomePage.. 

    To Create the IE Home Page GPOs

    // Using the Administrative Tools
    Open GPO Managment from administrative tools > right click on your domain > Create a GPO in this domain, and link it here > Name the GPO IE-YourExtension so you know the purpose of the GPO >

    // Edit GPO to include new Home Page
    Right Click on your new GPO and choose Edit > Choose User Configuration > Windows settings > Internet Explorer Maintenance > URLs > Important URLs > Customize Home Page URL > Enter your new Home Page URL > Click OK > Click the X oin the Top Right of the Page and Close the Managment Editor

    // Modify the Scope of how where the GPO is applied
    Click on Group Policy Objects > Click on your new GPO > Chose Scope Add > Enter the Group or Users that should have the GPO applied > Remove the Authenticated Users

    // QA the GPO
    Right Click on GPO Modeling > GPO Modeling Wizard > Next > Choose your Domain, Next > Choose a User on whom the Scope has been applied, Click CheckBox to Skip to the final Page, Next > Next > Finish > Show All > Has the GPO been applied, if yes go to settings >  Show All > you should see the Home Page URL...


    Repeat the above stpes for the other home page, then login as a test user and open IE to see the results...


    Note the above steps are complete when using Windows server 2008 R2 and may varey slightly if deployed on a different OS........


    -Ivan

    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    • Marked as answer by Lu Zou-MSFT Friday, February 19, 2010 5:35 AM
    Thursday, February 18, 2010 7:36 PM