Announcement

Collapse
No announcement yet.

Enable ActiveX for non-admins with GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enable ActiveX for non-admins with GPO

    I have a 2003 enviroment with XP clients.
    The users log on the AD as Domain users so they don't have admin creds.

    They use some sites that needs an ActiveX controller and I want them to be able to either accept the activeX installer or not to be promted at all as the ActiveX-controller gets installed.

    Can I make this happen with a GPO?

    Tnx!
    Greetings from
    Petter C.
    Norway

  • #2
    Re: Enable ActiveX for non-admins with GPO

    Any reason you cannot use restricted groups to make them local admins on their workstations?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Enable ActiveX for non-admins with GPO

      Hi,

      Here is the settings you need:

      User Configuration/Administartive Templates /Windows Components /Internet Explorer /Internet Contriol Panel/security Page
      In there Choose the zone you want the setting to be Applied to ie Trusted Site Zones
      in there these are the settings you need to look at depending on what you want:
      Download signed ActiveX controls
      Download unsigned ActiveX controls
      Run ActiveX Controls and Plugins
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: Enable ActiveX for non-admins with GPO

        L4dny:
        Tnx, but I cant really seem to get this to work. My testuser still does'nt get promted to download the activeX controll. The controll is'nt downloaded silently either.
        Ideas?

        Ossian:
        Not really a big reason, but I understand that the best practice is to have the user operate as non-admins?
        Greetings from
        Petter C.
        Norway

        Comment


        • #5
          Re: Enable ActiveX for non-admins with GPO

          Is the GPO applied to the user in question? GPresults.
          If yes, what zone have you got configured?
          and finally is the website added to that zone?

          Yeah, I agree with not adding users to be local admins is good practice if specific tasks can be done via GPO.
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Enable ActiveX for non-admins with GPO

            The GPO is applied to the user in question. (I have configured the same options under computer-configuration also... don't know if that has any effect)
            The zones configured is: Internet and trusted sites.
            The site i need to get working is added to trusted sites. (I see that the "trusted site sign" is active on the information bar in the bottom of IE7.)
            If I log on the same machine with my own domain admin account the ActiveX controller innstalls itself without prompt just great... so the problem seems related to the fact that the users does not have admin-rights...
            Greetings from
            Petter C.
            Norway

            Comment


            • #7
              Re: Enable ActiveX for non-admins with GPO

              I am presuming you are applying the GPO at the Domain level.

              In the client Machines logged on as a normal user can you check the security settings of the Trusted Sites Zone?
              Internet explorer - Properties - Security - Highlight trusted zones- Custom level
              what are the Activex settings there? Any grayed out?
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Enable ActiveX for non-admins with GPO

                Download signed activex.... Gray and enabled.
                Download unsigned activex.... Gray and enabled.
                Run activeX controls.... Gray and enabled.

                All other ActiveX choices enabled exept:
                Display video and animation.... disabled.
                Initialize and script activeX controls not marked... prompt.

                Tnx
                Greetings from
                Petter C.
                Norway

                Comment


                • #9
                  Re: Enable ActiveX for non-admins with GPO

                  What Client OS inc SP have you got and what Browser version?
                  Just wondering if any of the security updates or patches applied is causing the problem. ActiveX is quite open to vulnerabilities as you know.

                  Cheers
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Enable ActiveX for non-admins with GPO

                    Clients are XP SP3
                    Browser is IE7 - 7.0.5730.13
                    Greetings from
                    Petter C.
                    Norway

                    Comment


                    • #11
                      Re: Enable ActiveX for non-admins with GPO

                      I take it is not possible in XP then.
                      I know the problem has been addressed and resolved in Vista with the ActiveX installer service.

                      In that case you are left with only a few options:

                      Using Restricted Groups as Ossian suggested
                      And maybe Repackaging the ActiveX controls as an MSI with http://www.advancedinstaller.com/ (It comes with a free version also)
                      and deploy through GPO.

                      Ta
                      Caesar's cipher - 3

                      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                      SFX JNRS FC U6 MNGR

                      Comment


                      • #12
                        Re: Enable ActiveX for non-admins with GPO

                        Ok, sometimes you just have to bite the apple and find another solution...

                        Thanks alot
                        Greetings from
                        Petter C.
                        Norway

                        Comment

                        Working...
                        X