how to troubleshoot Internet Explorer Maintenance
advertisement
How to troubleshoot Internet Explorer Maintenance Policies
Troubleshooting Internet Explorer’s Maintenance Policies can be quite a task. After you read this you
will be able to solve most IE MP issues. So here we go.
There are two ways to configure IE through Group Policies. One is through the policies available
under Windows Components\Internet Explorer and the other is under Windows Settings\ Internet
Explorer Maintenance. In this article we will only talk about troubleshooting the latter.
There are three parts to troubleshooting IE MP problems:
1. The Group Policy part
2. The IEDKCS32.DLL part
3. The Internet Explorer part
Our first task is to find out in which part the problem lies, once we identify that finding a solution will
be easy. So let’s look at how we isolate the problem.
I am going to explain how to do this with the following example:
Environment:
DC: Windows 2003 SP2
Client: Windows XP SP2
Group Policy Object Details:
GPO Name: T1
GPO ID: {0FE2B926-1002-4078-91CF-2867A0D59E1C}
Here is how you get the above information
GPO Name: T2
GPO ID: {B0B67DF7-1F91-4AC9-85FD-7AC51F66ED75}
T1 Internet Explorer Maintenance Configuration
T1 Internet Explorer Maintenance Configuration
OK, now with the above configuration let’s see how we can confirm that it is or not a Group Policy
issue.
1. On the client machine run gpresult /V > gpresult.txt, the things we are interested at
USER SETTINGS
-------------CN=T1,OU=Test,DC=DC141639,DC=local
Last time Group Policy was applied: 4/25/2008 at 7:57:07 PM
Group Policy was applied from: blr2b05-m6.DC141639.local
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
----------------------------T1
AND
Internet Explorer Browser User Interface
---------------------------------------GPO: T1
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText:
N/A
UserAgent Text:
N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
---------------------------HTTP Proxy Server: http://testshamir1:80
Secure Proxy Server: http://testshamir1:80
FTP Proxy Server: http://testshamir1:80
Gopher Proxy Server: http://testshamir1:80
Socks Proxy Server: http://testshamir1:80
Auto Config Enable: No
Enable Proxy:
Yes
Use same Proxy: No
Internet Explorer URLs
---------------------GPO: T1
Home page URL:
http://shamir1
Search page URL:
N/A
Online support page URL: N/A
Internet Explorer Security
-------------------------Always Viewable Sites: N/A
Password Override Enabled: False
GPO: T1
Import the current Content Ratings Settings: No
Import the current Security Zones Settings:
No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown:
No
Internet Explorer Programs
-------------------------GPO: T1
Import the current Program Settings: No
So here with GPResult output we can be sure that T1’ IEMP has been applied.
What if under user settings we don’t see T1 as one of the applied GPO?
We will need to work from the domains perspective, as in any other GP issue. IEMP has not even got
a chance to do anything.
What if I see several GPOs applied and many of them IEMP settings configured?
It is recommended to have only one GPO that has IEMP to a client machine, two reasons:
1. Logon time will be longer because IEDKCS32.DLL will need to process each and every IEMP
sequentially.
2. In the past we have seen erratic behavior when more than one GPO configures IEMP
settings.
How do I know which GPO’s IEMP has been applied?
From the GPResult under each IE section, The GPO section tells you which GPO has applied that
setting,
Internet Explorer Browser User Interface
Internet Explorer URLs
Internet Explorer Security
Internet Explorer Programs
You can also find it out from the registry on the client machine,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
In my case, since I have two GPOs on the same OU, configuring IEMP, I will find two keys under the
above key, one named ‘0’ and the other named ‘1’.
Under 0 I have
Under 1 I have
If I had 4 GPOs configuring IEMP then I will for registry keys namely 0,1,2 and 3. Any conflicting
settings any of these will be one with the highest number, in our case one and that is why we see
T1’s homepage setting and not T2’s. Why T1 is chose over T2 is something I haven’t been able to
crack.
The above keys are important from a troubleshooting point of view, we often as Engineers or
Administrators don’t know what all GPOs that configure IEMP are actually there in the
environment. One easy and sure shot way to find what GPOs with IEMP are applied to a machine is
through the registry.
So from the above tests we will be able to confirm whether it is GP issue or not. In our case it is not.
We have confirmed GPO is getting applied, and IEDKCS32 is aware of the IEMP settings in the
GPOs because we see entries for the IEMP CSE({A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}).
So now let’s go to the second part, whether it is an IEDKCS32.DLL issue
IEDKCS32.DLL is the binary that is responsible for processing any IEMP setting from a GPO on the
client machine. For this it will first copy the install.ins files from
C:\WINDOWS\SYSVOL\sysvol\<DOMAIN NAME>\Policies\<GPO UNIQUE ID>\User\MICROSOFT\IEAK
(along with other files based on the options that are configured like seczones.inf etc) to the client
machine’s CustomX folder into one of these locations:
C:\Documents and Settings\<USER>\Local Settings\Application Data\Microsoft\Internet
Explorer\Custom Settings OR
C:\Documents and Settings\<USER>\ Application Data\Microsoft\Internet Explorer\Custom Settings
Where X in CustomX denotes the number, this number corresponds to the registry entry under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}, so for each sub entry in the above
location, there will be a corresponding folder under Custom Settings.
Why this ambiguity in the locations?
Well this depends whether you have folder redirection enabled. IEMP does not work well when
folder redirection is enabled, for it to work well it needs a hotfix installed,
http://support.microsoft.com/?id=888254. Once this is installed, the CustomX folder gets created
under “C:\Documents and Settings\<USER>\Local Settings\Application Data\Microsoft\Internet
Explorer\Custom Settings” and before that under “C:\Documents and Settings\<USER>\ Application
Data\Microsoft\Internet Explorer\Custom Settings”
You will see the below error message if IEMP is not working because of Folder Redirection
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1091
Date: 9/21/2004
Time: 1:03:09 PM
User: NT AUTHORITY\SYSTEM
Computer: EN-CLA01
Description:
The Group Policy client-side extension Internet Explorer Branding failed to log
RSOP (Resultant Set of Policy) data. Please look for any errors reported earlier by
that extension.
Now back to our example, I have two custom folders because I have two GPOs that configure
IEMP settings
Custom0 has the following install.ins file
[URL]
Home_Page=http://T2HomePage
[Branding]
GPVersion=6.00.3790.3959
Custom1 has the following install.ins file
[Proxy]
Proxy_Enable=1
HTTP_Proxy_Server=http://testshamir1:80
Use_Same_Proxy=0
Proxy_Override="http://test1;http://test2;http://test3;<local>"
FTP_Proxy_Server=http://testshamir1:80
Gopher_Proxy_Server=http://testshamir1:80
Secure_Proxy_Server=http://testshamir1:80
Socks_Proxy_Server=http://testshamir1:80
[Branding]
GPVersion=6.00.3790.3959
[URL]
Home_Page=http://shamir1
So now we can confirm that install.ins and the necessary files are copied from the sysvol folder.
In a case where the necessary files are not copied then we will need to run a netmon trace, and
see if a query for install.ins file has been made.
If a query has not been made, then consider upgrading IEDKCS32.DLL, at present there are NO
known issues with respect to downloading the install.ins file.
Once that is confirmed we need to know whether IEDKCS32.DLL has processed these install.ins files
and other files. We can confirm that by checking whether the necessary registry entries have been
configured.
Most IEMP settings are under the following location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
If the registry settings are not configured, then again, IEDKCS32 should be investigated further.
One thing that can be done is take a procmon log on
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and see if
there are any access denieds or sharing violations.
Now we have confirmed the problem does not lie with Group Policy or IEDKCS32.DLL.
Time to find out whether the problem is with Internet Explorer.
We have seen issues where at times IE does not read the setting even after IEDKCS32.DLL has done
the necessary processing. Especially with IE7.
In that case to confirm whether the issue lies with IE or not, take a dump. Dump out the necessary
variables that store information on the configurations you have done. Like in my case, since I have
configured proxy settings, I’ll try and dump out the proxy information from the dump to confirm
whether IE has read the value or not.
dt wininet!GlobalProxyInfo –r
<deleting unnecessary information>
+0x00c lpszConnectionName : (null)
+0x010 lpszProxy
: 0x001b8608
"http=http://testshamir1:80;https=http://testshamir1:80;ftp=http://testshamir1:80;gopher=http://testshamir1:80;socks=http://testshami
r1:80"
+0x014 lpszProxyBypass : 0x001ba480 "http://test1;http://test2;http://test3;<local>"
+0x018 lpszAutoconfigUrl : (null)
In this case, if IE is also reading the values into memory than you will a CPR or the Product Team to
debug this and find out what is happening.
That’s it, with this you have learned all the necessary parts of troubleshooting. You should be able
to isolate the problem and even fix it.
Some other things to know about IEMP
IEMP has two modes, Policy mode and Preference mode.
In Preference mode, all configurations will only be applied once in the entire life time. Any changes
by the user on the client side will be permanent, and IEDKCS32.DLL will not reapply it again.
The install.ins in preference mode will have a line that says one time GUID and that allows you to
easily confirm if the policy is in Preference Mode.
[Branding]
One_Time_Guid={B1E35B69-10FD-460B-A996-3C6AFD2DBCD6}
GPVersion=6.00.3790.3959
[Proxy]
Proxy_Enable=1
HTTP_Proxy_Server=http://test!:80
Use_Same_Proxy=1
Proxy_Override=<local>
IEMP in Policy mode will only reapply the policy on the user only if there is a change to the GPO. So
that means, if an user has changed a setting that was configured by IEMP, and the GPO has not
undergone any changes, then IEDKCS32.DLL will not reapply it. To make sure that IEDKCS32.DLL
applies IEMP every logon you will need to do the following registry changes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE00C04F86AE3B}
And
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A00C04FBBCFA2}
Purpose: Determines whether or not the client extension will process a group policy when a slow link is detected.
Value Name: NoSlowLink
Data Type: REG_DWORD
Value: 0
Purpose: Determines whether or not the client extension will process a group policy when there are no changes between the cached list of
GPOs previously processed and the current list.
Value Name: NoGPOListChanges
Data Type: REG_DWORD
Value: 0
Forcing IEDKCS32.DLL to apply IEMP on every logon will cause significant delay in logon especially
when you have several GPOs that configure IEMP. Remember IEDKCS32.DLL will need to download
all files, process them sequentially and write to the registry.
There are times where we have seen issues where sadly the install.ins or seczones.inf files are not
valid, in a sense that the copy on the sysvol folder does not have the right configuration data. It is
always good to confirm whether the install.ins and seczones.inf files have the right data.
You can do this by doing the same configuration on a test machine and match the data with the data
on the server.
Some Known Issues
ISSUE: Customer uses Mandatory Profiles and enables the IE-connection-option "Automatically
Detect Settings" for the proxy-server via GPO
RESULT: The checkbox is unchecked
CAUSE: The GPO applies correctly, but the autodetection has not yet been tried and the proxysettings are invalid due to this.
RESOLUTION: tell the proxy-configuration that he discovery has already been tried once, by settings
the following regkey in the mandatory profile:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
(DWORD)"MigrateProxy"=1
ISSUE: Customer uses Internet Explorer as the shell while using MSTSC, the users never logon locally
to this TS server, IEMP settings don’t take effect.
RESULT: None of the IE settings are getting configured.
CAUSE: When you first log on to a Windows Server 2003-based computer by using a new account, an
initialization process runs and performs some initialization tasks. However, if you use a remote
desktop connection to log on to this computer instead of using a local logon, the initialization tasks
are not completed.
RESOLUTION: Run the command Runonce.exe /Alternateshell in the batch file as a workaround or
use this batch file as logon script for the TS users.
1. In the Group Policy, under user configuration\windows settings\scripts\logon
2. Add a script with the command "runonce.exe /AlternateShellStartup" without Quotes.
3. Apply / OK
References
How Core Group Policy Works
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/enus/Default.asp?url=/resources/documentation/WindowsServ/2003/all/techref/enus/w2k3tr_gp_how.asp
What Is Internet Explorer Maintenance Extension?
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/enus/Default.asp?url=/resources/documentation/windowsServ/2003/all/techref/enus/w2k3tr_gpiem_what.asp
KB Articles
323061 Advanced privacy settings and per-site privacy actions are not imported
http://support.microsoft.com/?id=323061
826501 Group Policy Object Does Not Remove Web Sites From Managed Sites List
http://support.microsoft.com/?id=826501
268595 How to Force Custom Policies to Be Reapplied
http://support.microsoft.com/?id=268595
216358 Troubleshooting Group Policy Client-Side Extension Behavior
http://support.microsoft.com/?id=216358
316116 You cannot manage Internet Explorer 6 Group Policy settings on a Windows
http://support.microsoft.com/?id=316116
308196 How To Install the Active Directory Administrative Tools to Windows 2000
http://support.microsoft.com/?id=308196
324745 How To Install the Windows Server 2003 Administration Tools Pack on
http://support.microsoft.com/?id=324745
269483 Windows 2000 Administration Tools Package (Adminpak.msi) Updates
http://support.microsoft.com/?id=269483
HOW TO: Use the Group Policy Results Tool in Windows 2000
http://support.microsoft.com/?id=321709
Troubleshooting Automatic Browser Configuration Problems
http://support.microsoft.com/?id=192472
How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/?id=221833
Internet Explorer Maintenance policies are not applied in preference mode
http://support.microsoft.com/?id=825685
Internet Explorer Maintenance Group Policies Do Not Apply During
http://support.microsoft.com/?id=306915
Identifying Group Policy Client-Side Extensions
http://support.microsoft.com/?id=216357
How to Force Custom Policies to Be Reapplied
http://support.microsoft.com/?id=268595
Troubleshooting Automatic Browser Configuration Problems
http://support.microsoft.com/?id=192472
HOW TO: Use Group Policy to Configure Advanced Settings for Internet
http://support.microsoft.com/?id=325342
Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?id=250842
Troubleshooting Group Policy Client-Side Extension Behavior
http://support.microsoft.com/?id=216358
How To Set Advanced Settings In Internet Explorer by Using Group Policy
http://support.microsoft.com/?id=274846
You cannot manage Internet Explorer 6 Group Policy settings on a Windows
http://support.microsoft.com/?id=316116
Security Zone Settings Are Not Applied in Internet Explorer 6
http://support.microsoft.com/?id=321598
DISCLAIMER: The information in this document is based out of my experience in troubleshooting
such case. I believe the information captured in this document is correct.
Shamir Abdul Aziz
saziz@microsoft.com
