Connecting to users desktop PC without losing IE 6 Trusted Sites

  • Thread starter Thread starter bstillion
  • Start date Start date
B

bstillion

Guest
Users logon to their PCs while at the office and their IE6 trusted sites are
populated through a WINBATCH script. When the same user logs on from home to
the TS/Citrix server and then RDP's to their desktop, all Trusted Sites get
deleted. When the user returns to the office the next day, he must log on
twice before his trusted sites are restored.
Windows Server 2003 AD, no policies are applying any IE settings (confirmed
by Microsoft Support.) including no "loopback" policy applied to the terminal
servers.

One of my steps to resolve was to apply a list of Trusted Sites to the
default domain policy. My manager suggested moving it since that is not the
best place so I created a separate policy and applied it. Later that night,
the policy erased trusted sites necessary for a critical application so he
deleted the policy.

What can we do to maintain the "Trusted Sites" critical for many
applications for both local PC access and remote RDP access?
--
Brad Stillion
Maine Medical Center
Portland ME
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sites

bstillion <bstillion@discussions.microsoft.com> wrote:
> Users logon to their PCs while at the office and their IE6 trusted
> sites are populated through a WINBATCH script. When the same user
> logs on from home to the TS/Citrix server and then RDP's to their
> desktop, all Trusted Sites get deleted. When the user returns to the
> office the next day, he must log on twice before his trusted sites
> are restored.

Do you have a separate TS profile & TS home directory path defined for these
users, either in ADUC or via group policy? Don't mix and match profiles - it
can cause problems.

> Windows Server 2003 AD, no policies are applying any IE settings
> (confirmed by Microsoft Support.) including no "loopback" policy
> applied to the terminal servers.

Hmmm; generally one wants GPOs with loopback processing set for TS users.
>
> One of my steps to resolve was to apply a list of Trusted Sites to the
> default domain policy. My manager suggested moving it since that is
> not the best place so I created a separate policy and applied it.

Where?

> Later that night, the policy erased trusted sites necessary for a
> critical application so he deleted the policy.

Who did?
>
> What can we do to maintain the "Trusted Sites" critical for many
> applications for both local PC access and remote RDP access?
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

LANWENCH,

I'll check on the TS Policy and TS home folder. I'm a new employee and there
is no orientation to the place so I'll have to ask someone.

I have apporached them about loopback processing so they are open to it.
Nothing is/was in place as they are a Novell shop that is apparently
converting to MS but not everyone is excited about it. Loopback processing
seems like it will work fine for the login to the TS but what will happen
when the user RDPs to his desktop? Users go to a web portal, sign and then
one of the Citrix apps is RDP so the connect through the browser to their
desktop.

The new policy I created (when I removed the settings from the DDP) was
applied to the Citrix Servers OU which includes the two TS's that users log
in to.

The manager deleted the policy so he could repopulate the unique "Trusted
Sites" for different departments.

--
Brad Stillion
Maine Medical Center
Portland ME


"Lanwench [MVP - Exchange]" wrote:

> bstillion <bstillion@discussions.microsoft.com> wrote:
> > Users logon to their PCs while at the office and their IE6 trusted
> > sites are populated through a WINBATCH script. When the same user
> > logs on from home to the TS/Citrix server and then RDP's to their
> > desktop, all Trusted Sites get deleted. When the user returns to the
> > office the next day, he must log on twice before his trusted sites
> > are restored.
>
> Do you have a separate TS profile & TS home directory path defined for these
> users, either in ADUC or via group policy? Don't mix and match profiles - it
> can cause problems.


>
> > Windows Server 2003 AD, no policies are applying any IE settings
> > (confirmed by Microsoft Support.) including no "loopback" policy
> > applied to the terminal servers.
>
> Hmmm; generally one wants GPOs with loopback processing set for TS users.
> >
> > One of my steps to resolve was to apply a list of Trusted Sites to the
> > default domain policy. My manager suggested moving it since that is
> > not the best place so I created a separate policy and applied it.
>
> Where?
>
> > Later that night, the policy erased trusted sites necessary for a
> > critical application so he deleted the policy.
>
> Who did?
> >
> > What can we do to maintain the "Trusted Sites" critical for many
> > applications for both local PC access and remote RDP access?
>
>
>
>
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Lanwench,
There are not TS home directory paths and there are profiles for each
user on the TS (if that constitutes a separate TS Profile since they do have
local PC profiles as well.)
Where can we go to set up a TS only policy?

Thanks.
--
Brad Stillion
Maine Medical Center
Portland ME


"Lanwench [MVP - Exchange]" wrote:

> bstillion <bstillion@discussions.microsoft.com> wrote:
> > Users logon to their PCs while at the office and their IE6 trusted
> > sites are populated through a WINBATCH script. When the same user
> > logs on from home to the TS/Citrix server and then RDP's to their
> > desktop, all Trusted Sites get deleted. When the user returns to the
> > office the next day, he must log on twice before his trusted sites
> > are restored.
>
> Do you have a separate TS profile & TS home directory path defined for these
> users, either in ADUC or via group policy? Don't mix and match profiles - it
> can cause problems.
>
> > Windows Server 2003 AD, no policies are applying any IE settings
> > (confirmed by Microsoft Support.) including no "loopback" policy
> > applied to the terminal servers.
>
> Hmmm; generally one wants GPOs with loopback processing set for TS users.
> >
> > One of my steps to resolve was to apply a list of Trusted Sites to the
> > default domain policy. My manager suggested moving it since that is
> > not the best place so I created a separate policy and applied it.
>
> Where?
>
> > Later that night, the policy erased trusted sites necessary for a
> > critical application so he deleted the policy.
>
> Who did?
> >
> > What can we do to maintain the "Trusted Sites" critical for many
> > applications for both local PC access and remote RDP access?
>
>
>
>
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

bstillion <bstillion@discussions.microsoft.com> wrote:
> Lanwench,
> There are not TS home directory paths

Set them. :)

> and there are profiles for each
> user on the TS (if that constitutes a separate TS Profile since they
> do have local PC profiles as well.)

I mean in group policy. This may help:
http://technet.microsoft.com/en-us/library/cc782910.aspx

> Where can we go to set up a TS only policy?

I'm not sure what you mean. What GPOs have you already set up for your TS?
>
> Thanks.
>
>> bstillion <bstillion@discussions.microsoft.com> wrote:
>>> Users logon to their PCs while at the office and their IE6 trusted
>>> sites are populated through a WINBATCH script. When the same user
>>> logs on from home to the TS/Citrix server and then RDP's to their
>>> desktop, all Trusted Sites get deleted. When the user returns to the
>>> office the next day, he must log on twice before his trusted sites
>>> are restored.
>>
>> Do you have a separate TS profile & TS home directory path defined
>> for these users, either in ADUC or via group policy? Don't mix and
>> match profiles - it can cause problems.
>>
>>> Windows Server 2003 AD, no policies are applying any IE settings
>>> (confirmed by Microsoft Support.) including no "loopback" policy
>>> applied to the terminal servers.
>>
>> Hmmm; generally one wants GPOs with loopback processing set for TS
>> users.
>>>
>>> One of my steps to resolve was to apply a list of Trusted Sites to
>>> the default domain policy. My manager suggested moving it since
>>> that is not the best place so I created a separate policy and
>>> applied it.
>>
>> Where?
>>
>>> Later that night, the policy erased trusted sites necessary for a
>>> critical application so he deleted the policy.
>>
>> Who did?
>>>
>>> What can we do to maintain the "Trusted Sites" critical for many
>>> applications for both local PC access and remote RDP access?
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

So,
the local profiles on the server are OK
but
each user needs a home directory for terminal server sessions that
is different than the home directory they get when logging in at locally?
(your last post stated that mixing the profiles was a bad idea.)

> I'm not sure what you mean. What GPOs have you already set up for your TS?

I don't see any GPOs for Terminal Services(or any GPOs in use at all for
that matter. I'm a new employee and am helping with the current problem of
"disappearing entries in 'Trusted Sites'.) I'm trying to get us a plan on
what to do to fix the problem. I'm asking them to alter something that is
working in all other aspects so I need to have solid logic behind what I
suggest. I don't want to "fix this problem and create two more".


--
Brad Stillion
Maine Medical Center
Portland ME


"Lanwench [MVP - Exchange]" wrote:

> bstillion <bstillion@discussions.microsoft.com> wrote:
> > Lanwench,
> > There are not TS home directory paths
>
> Set them. :)
>
> > and there are profiles for each
> > user on the TS (if that constitutes a separate TS Profile since they
> > do have local PC profiles as well.)
>
> I mean in group policy. This may help:
> http://technet.microsoft.com/en-us/library/cc782910.aspx
>
> > Where can we go to set up a TS only policy?
>
> I'm not sure what you mean. What GPOs have you already set up for your TS?
> >
> > Thanks.
> >
> >> bstillion <bstillion@discussions.microsoft.com> wrote:
> >>> Users logon to their PCs while at the office and their IE6 trusted
> >>> sites are populated through a WINBATCH script. When the same user
> >>> logs on from home to the TS/Citrix server and then RDP's to their
> >>> desktop, all Trusted Sites get deleted. When the user returns to the
> >>> office the next day, he must log on twice before his trusted sites
> >>> are restored.
> >>
> >> Do you have a separate TS profile & TS home directory path defined
> >> for these users, either in ADUC or via group policy? Don't mix and
> >> match profiles - it can cause problems.
> >>
> >>> Windows Server 2003 AD, no policies are applying any IE settings
> >>> (confirmed by Microsoft Support.) including no "loopback" policy
> >>> applied to the terminal servers.
> >>
> >> Hmmm; generally one wants GPOs with loopback processing set for TS
> >> users.
> >>>
> >>> One of my steps to resolve was to apply a list of Trusted Sites to
> >>> the default domain policy. My manager suggested moving it since
> >>> that is not the best place so I created a separate policy and
> >>> applied it.
> >>
> >> Where?
> >>
> >>> Later that night, the policy erased trusted sites necessary for a
> >>> critical application so he deleted the policy.
> >>
> >> Who did?
> >>>
> >>> What can we do to maintain the "Trusted Sites" critical for many
> >>> applications for both local PC access and remote RDP access?
>
>
>
>
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Re: Connecting to users desktop PC without losing IE 6 Trusted Sit


--
Brad Stillion
Maine Medical Center
Portland ME


"Lanwench [MVP - Exchange]" wrote:

> bstillion <bstillion@discussions.microsoft.com> wrote:
> > Lanwench,
> > There are not TS home directory paths
>
> Set them. :)
>
> > and there are profiles for each
> > user on the TS (if that constitutes a separate TS Profile since they
> > do have local PC profiles as well.)
>
> I mean in group policy. This may help:
> http://technet.microsoft.com/en-us/library/cc782910.aspx
>
> > Where can we go to set up a TS only policy?
>
> I'm not sure what you mean. What GPOs have you already set up for your TS?
> >
> > Thanks.
> >
> >> bstillion <bstillion@discussions.microsoft.com> wrote:
> >>> Users logon to their PCs while at the office and their IE6 trusted
> >>> sites are populated through a WINBATCH script. When the same user
> >>> logs on from home to the TS/Citrix server and then RDP's to their
> >>> desktop, all Trusted Sites get deleted. When the user returns to the
> >>> office the next day, he must log on twice before his trusted sites
> >>> are restored.
> >>
> >> Do you have a separate TS profile & TS home directory path defined
> >> for these users, either in ADUC or via group policy? Don't mix and
> >> match profiles - it can cause problems.
> >>
> >>> Windows Server 2003 AD, no policies are applying any IE settings
> >>> (confirmed by Microsoft Support.) including no "loopback" policy
> >>> applied to the terminal servers.
> >>
> >> Hmmm; generally one wants GPOs with loopback processing set for TS
> >> users.
> >>>
> >>> One of my steps to resolve was to apply a list of Trusted Sites to
> >>> the default domain policy. My manager suggested moving it since
> >>> that is not the best place so I created a separate policy and
> >>> applied it.
> >>
> >> Where?
> >>
> >>> Later that night, the policy erased trusted sites necessary for a
> >>> critical application so he deleted the policy.
> >>
> >> Who did?
> >>>
> >>> What can we do to maintain the "Trusted Sites" critical for many
> >>> applications for both local PC access and remote RDP access?
>
>
>
>
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Re: Connecting to users desktop PC without losing IE 6 Trusted Sit


--
Brad Stillion
Maine Medical Center
Portland ME


"Lanwench [MVP - Exchange]" wrote:

> bstillion <bstillion@discussions.microsoft.com> wrote:
> > Lanwench,
> > There are not TS home directory paths
>
> Set them. :)
>
> > and there are profiles for each
> > user on the TS (if that constitutes a separate TS Profile since they
> > do have local PC profiles as well.)
>
> I mean in group policy. This may help:
> http://technet.microsoft.com/en-us/library/cc782910.aspx
>
> > Where can we go to set up a TS only policy?
>
> I'm not sure what you mean. What GPOs have you already set up for your TS?
> >
> > Thanks.
> >
> >> bstillion <bstillion@discussions.microsoft.com> wrote:
> >>> Users logon to their PCs while at the office and their IE6 trusted
> >>> sites are populated through a WINBATCH script. When the same user
> >>> logs on from home to the TS/Citrix server and then RDP's to their
> >>> desktop, all Trusted Sites get deleted. When the user returns to the
> >>> office the next day, he must log on twice before his trusted sites
> >>> are restored.
> >>
> >> Do you have a separate TS profile & TS home directory path defined
> >> for these users, either in ADUC or via group policy? Don't mix and
> >> match profiles - it can cause problems.
> >>
> >>> Windows Server 2003 AD, no policies are applying any IE settings
> >>> (confirmed by Microsoft Support.) including no "loopback" policy
> >>> applied to the terminal servers.
> >>
> >> Hmmm; generally one wants GPOs with loopback processing set for TS
> >> users.
> >>>
> >>> One of my steps to resolve was to apply a list of Trusted Sites to
> >>> the default domain policy. My manager suggested moving it since
> >>> that is not the best place so I created a separate policy and
> >>> applied it.
> >>
> >> Where?
> >>
> >>> Later that night, the policy erased trusted sites necessary for a
> >>> critical application so he deleted the policy.
> >>
> >> Who did?
> >>>
> >>> What can we do to maintain the "Trusted Sites" critical for many
> >>> applications for both local PC access and remote RDP access?
>
>
>
>
 
Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

Re: Connecting to users desktop PC without losing IE 6 Trusted Sit

bstillion <bstillion@discussions.microsoft.com> wrote:
> So,
> the local profiles on the server are OK

Those are cached profiles. You need to set TS profile paths for the users
via group policy - nothing to do with the cached ones.

> but
> each user needs a home directory for terminal server sessions that
> is different than the home directory they get when logging in at
> locally? (your last post stated that mixing the profiles was a bad
> idea.)

You keep saying "locally" but I'm not sure what you mean - that would imply
a local account. They don't have local accounts on the TS boxes, do they?
You do run AD?
>
>> I'm not sure what you mean. What GPOs have you already set up for
>> your TS?
>
> I don't see any GPOs for Terminal Services(or any GPOs in use at all
> for that matter.

Load GPMC on one of your DCs and check it out.

> I'm a new employee and am helping with the current
> problem of "disappearing entries in 'Trusted Sites'.) I'm trying to
> get us a plan on what to do to fix the problem. I'm asking them to
> alter something that is working in all other aspects so I need to
> have solid logic behind what I suggest. I don't want to "fix this
> problem and create two more".

Documenting what you've got now would be a very good start, I think.
>
>
>
>> bstillion <bstillion@discussions.microsoft.com> wrote:
>>> Lanwench,
>>> There are not TS home directory paths
>>
>> Set them. :)
>>
>>> and there are profiles for each
>>> user on the TS (if that constitutes a separate TS Profile since they
>>> do have local PC profiles as well.)
>>
>> I mean in group policy. This may help:
>> http://technet.microsoft.com/en-us/library/cc782910.aspx
>>
>>> Where can we go to set up a TS only policy?
>>
>> I'm not sure what you mean. What GPOs have you already set up for
>> your TS?
>>>
>>> Thanks.
>>>
>>>> bstillion <bstillion@discussions.microsoft.com> wrote:
>>>>> Users logon to their PCs while at the office and their IE6 trusted
>>>>> sites are populated through a WINBATCH script. When the same user
>>>>> logs on from home to the TS/Citrix server and then RDP's to their
>>>>> desktop, all Trusted Sites get deleted. When the user returns to
>>>>> the office the next day, he must log on twice before his trusted
>>>>> sites are restored.
>>>>
>>>> Do you have a separate TS profile & TS home directory path defined
>>>> for these users, either in ADUC or via group policy? Don't mix and
>>>> match profiles - it can cause problems.
>>>>
>>>>> Windows Server 2003 AD, no policies are applying any IE settings
>>>>> (confirmed by Microsoft Support.) including no "loopback" policy
>>>>> applied to the terminal servers.
>>>>
>>>> Hmmm; generally one wants GPOs with loopback processing set for TS
>>>> users.
>>>>>
>>>>> One of my steps to resolve was to apply a list of Trusted Sites to
>>>>> the default domain policy. My manager suggested moving it since
>>>>> that is not the best place so I created a separate policy and
>>>>> applied it.
>>>>
>>>> Where?
>>>>
>>>>> Later that night, the policy erased trusted sites necessary for a
>>>>> critical application so he deleted the policy.
>>>>
>>>> Who did?
>>>>>
>>>>> What can we do to maintain the "Trusted Sites" critical for many
>>>>> applications for both local PC access and remote RDP access?
 

Similar threads

BrandonPimm
Group Policy Isn't Applying To All Users
Replies
1
Views
1,423
ICTCity
ICTCity
L
can't get trusted sites to work properly!
Replies
1
Views
207
TP
T
L
can'
Replies
0
Views
226
lee.james@spartan.ab.ca
L
L
can'
Replies
0
Views
235
lee.james@spartan.ab.ca
L
J
IE Security via Group Policy for Win2003 TS
Replies
1
Views
174
Vera Noest [MVP]
V
Back
Top