+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 31
Windows Server 2000/2003 Thread, At My Wits' End: Shortcuts no longer trusted by workstations? in Technical; If anyone can fix this I may divorce my wife to marry them if requested. It has all of us ...
  1. #1

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,829
    Thank Post
    840
    Thanked 1,399 Times in 962 Posts
    Blog Entries
    47
    Rep Power
    603

    Unhappy At My Wits' End: Shortcuts no longer trusted by workstations?

    If anyone can fix this I may divorce my wife to marry them if requested. It has all of us stumped.

    When we came back after the Xmas holidays, some users started seeing errors when they opened shortcuts from the desktop or start menu, as attached:
    homedir error.PNG
    when attempting to open My Documents

    webmail error.PNG
    When opening a shortcut

    run error.PNG
    When opening a shortcut to an EXE

    (note that I've redacted our internal network name, but it displays correctly IRL)

    All of these shortcuts are from a single DFS network share that users are redirected to via GPO. Students share one set of desktop/start menu shortcuts, staff share another set. Both kinds of users are affected.

    It doesn't affect the My Computer and Recycle Bin shortcuts that are put in place by the local client.

    It doesn't affect shortcuts to URLs, so the desktop shortcut to our helpdesk system, for example, opens fine. So it only seems to be .lnk files, not .url

    Weirdly, it's not affecting PDFs linked on the desktop.

    Other potential clues: when users log off now there is nearly always some kind of error copying the roaming profile back across. When resetting a roaming profile, after the user has first logged back on to recreate the profile, not all files will copy across to the network.

    Nothing changed over Xmas apart from some Windows Updates, but computers that had been in storage since before the holiday also displayed the problem.

    We were running DFS replication until recently, and I suspect the blame for all this can be laid at its door. DFSR is now disabled entirely, and both fileservers have recently been reformatted, reinstalled, redone afresh, and the problem still exists.

    Win2k3 R2, WinXP SP3.

    Even with full control set on the permissions to SYSTEM, Administrators & the relevant user group, the problem continues.

    You're my last hope, EduGeekers. Anyone?

  2. #2

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,698
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    Internet Explorer. Trusted Sites. Your users have lovely, lovely IE settings to thank for this. Basically, they're not seeing the areas where these links point to as trusted. Should automatically be trusted, but it can slip (used to have this on an old DC). You should be able to force it by changing their IE settings (Internet Explorer Maintenance in GP). Set the areas linked to (file server, DFS share) as Trusted Sites, making sure the definition for trusted fits. Should disappear then. This is a bit of a fudge in all honesty, but that shouldn't cause issues - there may be an underlying cause elsewhere.

  3. Thanks to 3s-gtech from:

    sonofsanta (11th March 2011)

  4. #3

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,829
    Thank Post
    840
    Thanked 1,399 Times in 962 Posts
    Blog Entries
    47
    Rep Power
    603
    Quote Originally Posted by 3s-gtech View Post
    Internet Explorer. Trusted Sites. Your users have lovely, lovely IE settings to thank for this. Basically, they're not seeing the areas where these links point to as trusted. Should automatically be trusted, but it can slip (used to have this on an old DC). You should be able to force it by changing their IE settings (Internet Explorer Maintenance in GP). Set the areas linked to (file server, DFS share) as Trusted Sites, making sure the definition for trusted fits. Should disappear then. This is a bit of a fudge in all honesty, but that shouldn't cause issues - there may be an underlying cause elsewhere.
    Might be worth a go anyway as it's something I need to tidy up for other reasons anyway, but I should add:
    * Problem doesn't seem to affect all users, but seems to affect anyone who has their profile reset
    * Problem doesn't affect me with my extra god-like administrative powers and privileges
    * Early on, at least, it didn't affect people all the time, even on the same PC - so someone could log on a PC, get the errors, log off, log on again and be fine. Which was madness.

    So a pattern has escaped all investigation so far

  5. #4

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,698
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    DNS scavenging working okay?

  6. #5

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,829
    Thank Post
    840
    Thanked 1,399 Times in 962 Posts
    Blog Entries
    47
    Rep Power
    603
    Quote Originally Posted by 3s-gtech View Post
    DNS scavenging working okay?
    Event Viewer says so, just run it now and it sez:
    The DNS server has completed a scavenging cycle:
    Visited Zones = 17,
    Visited Nodes = 1037,
    Scavenged Nodes = 16,
    Scavenged Records = 6.

    This cycle took 1 seconds.
    Which looks like it should

  7. #6

    Join Date
    Jan 2009
    Location
    Northants
    Posts
    135
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    13
    There is a way of forcing your local domain name into the intranet zone which really helps with this i used a script to import a .reg file onto all machines on startup with the following
    Code:
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myadnamehere.local]
    "*"=dword:00000001
    obviously replace myadnamehere.local with your AD name

  8. Thanks to SkreeM1980 from:

    sonofsanta (11th March 2011)

  9. #7

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    It definitely looks like trusted zones - we have something similar to that suggested by @SkreeM1980 in our login script (we also add the home directory server as a trusted location and this makes sure that desktop and quick launch icons are trusted)

  10. Thanks to srochford from:

    sonofsanta (11th March 2011)

  11. #8

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,829
    Thank Post
    840
    Thanked 1,399 Times in 962 Posts
    Blog Entries
    47
    Rep Power
    603
    There's something weirder going on here then, because that key already exists on the PC I'm testing on... as do all the zone mappings I put in the IEAK8 MSI I built yesterday to test... but when I open up IE and actually look at the trusted sites etc., it's pulling them from somewhere else as it has a completely different list. It doesn't let me remove anything either - although the list looks editable (for domain admin only*), and looks like it lets you add/remove sites, when you click OK out the list and go back in, it's reverted to its original state.

    This has me even more confused, because I know the only GPO that sets them (Under User Config > Admin Templates > Win Components > IE > Internet Control Panel > Security Page > Site to Zone Assignment List). That list doesn't look like the one I'm actually seeing under IE.

    *Literally just the named domain admin account - my account, with same membership, in same OU etc. has the site list greyed out

    EDIT: Zone assignments are not currently set by registry either, checking any other computer (that hasn't had this new branding MSI run on it) there's no entry for domains at that location. What else could be setting this if not GPO?
    Last edited by sonofsanta; 10th March 2011 at 08:45 AM.

  12. #9

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,698
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    Do you have Imported Internet Settings overriding it? User Config/Windows Settings/Internet Explorer Maintenance/Security/Security Zones and Content Ratings ? That's how I have mine set, may override the others.

  13. #10

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,829
    Thank Post
    840
    Thanked 1,399 Times in 962 Posts
    Blog Entries
    47
    Rep Power
    603
    Quote Originally Posted by 3s-gtech View Post
    Do you have Imported Internet Settings overriding it? User Config/Windows Settings/Internet Explorer Maintenance/Security/Security Zones and Content Ratings ? That's how I have mine set, may override the others.
    RSOP says no, and I've manually checked every GPO in the list, and nothing sets it in that way - and if you try and set it that way, Windows has a bit of a whigne about Server 2k3 and the enhanced security etc. etc. which makes it look like a bad idea.

    I genuinely have no idea where this trusted sites list is coming from :/

  14. #11

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    A simple test. Can you create a new OU and block inheritence of all GPO's. Add a PC, fresh install to that OU. Create a new test account and logon.

    What are the results?

  15. #12

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    If the Site to zone assignment list policy is enabled, the users cannot see the setting and cannot manage their site to zone assignments via the IE User interface.


    If we want to push a standardised list of site to zone assignments but want the user to still be able to manage their own site zones, we should use Internet Explorer Maintenance policy instead and import the security settings from a machine that has been configured with the required zone settings.



    User Configuration ->Windows Settings ->Internet Explorer Maintenance-> Security -> Security Zones and Content Ratings-->Import the current security zones and privacy settings-->Add the sites to trusted zone.



    For 2003 R2 clients, IE Enhanced Security Configuration feature is enabled by default and a KB was published for this scenario:

    There is a KB about Site to Zone Assignment List issue:

    918915 The Site to Zone Assignment List policy prevents Internet Explorer from using other zone configuration settings when the Internet Explorer Enhanced Security Configuration feature is enabled on a Windows Server 2003 SP1-based computer

    The Site to Zone Assignment List policy prevents Internet Explorer from using other zone configuration settings when the Internet Explorer Enhanced Security Configuration feature is enabled on a Windows Server 2003 SP1-based computer

    Regards
    Sukh

  16. #13

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,829
    Thank Post
    840
    Thanked 1,399 Times in 962 Posts
    Blog Entries
    47
    Rep Power
    603
    Hi Sukh,

    Given that no-one can modify the list then - domain admin is the only one with even the appearance of control, even though it's not true - it seems a lot like the GPO doing it then. I can't see anywhere that would have the list set through IE Maintenance.

    I'll try the new OU malarkey this morning and update again when I know what's happening. Cheers!

  17. #14

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,829
    Thank Post
    840
    Thanked 1,399 Times in 962 Posts
    Blog Entries
    47
    Rep Power
    603
    Quote Originally Posted by sukh View Post
    Hi

    A simple test. Can you create a new OU and block inheritence of all GPO's. Add a PC, fresh install to that OU. Create a new test account and logon.

    What are the results?
    Brand new OU, completely outside our normal structure, with inheritance blocked, so even default domain policy shouldn't apply.

    Computer reimaged entirely, updates run. Joined to domain and dropped in this new OU, where it gets no settings whatsoever.

    New test account also dropped in OU. One GPO linked, to redirect start menu & desktop to copy of relevant locations. Confirmed as only GPO being applied through gpresult.

    No sites listed anywhere in IE - not in Intranet or Trusted Sites (default settings for automatically detect Intranet etc.)

    Error still happening

    So looks like something on the file servers end, maybe...? Presumably something, somewhere on an ACL list or NTFS permissions, because as I've said, file servers were rebuilt over the half term - but files, of course, were just copied back on.

    EDIT: creating new shortcuts also does nothing - just made a new shortcut to iexplore and it has the same problem.

    Worth noting that the problem is entirely with shortcuts to programs, apart from My Documents - any shortcuts to files or URLs are OK. Whether this is because of a difference in .lnk and .url files I don't know - can't actually see what extensions the shortcuts have :/
    Last edited by sonofsanta; 11th March 2011 at 03:12 PM.

  18. #15

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Thanks for doing the test. Just want to clarify the error still happening. Error as is the sites are still being listed in trusted sites?

    And we are sure that the in the single GPO applied there is no IE settings?

    Also, has the new test user got a login script?

    Thanks
    Sukh

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Smoothwall end to end througput testing
    By plexer in forum Internet Related/Filtering/Firewall
    Replies: 6
    Last Post: 3rd December 2009, 01:05 PM
  2. Exchange 2007 Front End/Back End
    By rh91uk in forum Windows Server 2008
    Replies: 2
    Last Post: 31st August 2009, 06:58 PM
  3. Do you use SIMS Trusted Logins
    By dyoung5 in forum MIS Systems
    Replies: 21
    Last Post: 20th May 2009, 12:20 PM
  4. Trusted Publishers
    By woody in forum Windows
    Replies: 4
    Last Post: 1st December 2006, 09:03 AM
  5. Trusted Publishers
    By woody in forum Windows
    Replies: 0
    Last Post: 28th November 2006, 12:03 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •