Wednesday, 22 October 2014

Shutting a Windows Server down without installing updates

 

If you have ever needed to shut down a server but it wants to install updates which you know will take longer than your service window you can use the following command to prevent the issue until you reboot.

 

net stop wuauserv

 

This will stop the Windows Update Service (at least until you reboot)

 

Hope this helps someone

Friday, 3 October 2014

Skype - Sign-in Details not recognised

This issue makes me laugh, you have skype and you attempt to login and even though your login credentials are perfect, it says "Sign-In Details not recognized".  Even though you are on full unfiltered broadband, yet weirdly enough it might be working on another computer.

Now you probably Googled it and all the forums say "Download the Latest Version", I despise resolutions like that because even though sometimes it works, it doesn't solve the issue for those that do have the latest version, oh and since when do older versions just stop working?

Unless it's been announced that you have to upgrade, you don't have to do anything you don't want to.

This is a resolution with the latest or an older version.

Usually, this is caused by a corruption/break in one of three locations.

C:\ProgramData\Skype
C:\Users\%username%\AppData\Local\Skype
C:\Users\%username%\AppData\Roaming\Skype

Now when you just uninstalled and re-installed you will probably find that Skype still has a problem. That is because Microsoft are lazy and leave crap behind and the Skype uninstaller leaves these folders on your hard drive.

So when you re-install, shock and behold it still uses the same corrupt files to run.

When you upgrade, you sometimes find that these folders are replaced or updated, thus removing the corruption. The upgrade doesn't spot and fix the corruption it just replaces files and folders that might or might not of been corrupt.  This is why the upgrade sometimes fixes it, though depends on the update and what the update actually replaces.


Real Resolution (any version)

Uninstall Skype using Add/Remove Programs
Delete the C:\ProgramData\Skype folder
Delete the C:\users\%username%\appdata\local\Skype folder
Delete the C:\Users\%username%\AppData\Roaming\Skype folder

Reinstall Skype, ideally the latest version since you are doing an install anyway, but it doesn't matter.

Once installed, try to login again.  Shock and Horror its working.


Other Stupid Resolutions

Internet Explorer

Another resolution (apparently) is install the latest version of IE.  Just go away and stop blaming IE for everything, yes its full of bugs and yes everyone who has an IQ higher than 4 uses something else, but it isn't a thing to point the finger at when you quite simply don't know the real reason.

Windows Firewall

No. It worked before, it should still work.  Software developers don't just go one day, hey shall we use different ports this time round.

Proxy Incorrect

No. It worked before, it should still work. Again Software developers don't just decide screw it lets completely revolutionize the way we connect through a proxy and not tell anyone about it.

Downgrade

You need to be shot.  Unless there is genuinely a bug that Skype themselves acknowledge, there is no reason to downgrade.


Tuesday, 29 July 2014

Recycling Bin with Redirected Folders

 Recycle Bins and Redirection


The Recycling Bin found on your desktop opens up a window and within that window you have all the items that you have deleted, either accidentally or deliberately.

What you might not know is that every redirected folder has its own recycling bin.  If you have 10 redirected folders you have 10 additional recycling bins, all with their own settings and storage capacities.

You also always have your local recycling bin for every drive. So if you have a C:\ and D:\ drive, you have a recycling bin for both the C:\ and D:\ Drives.

10 Redirected folders + 2 Drives = 12 individual recycling bins.

If you have redirected the music, video and pictures to follow the my documents, you have -3 recycling bins because the music, video and pictures will use the my documents recycling bin.  Just to add to that annoyance.

So when you open the recycling bin from the desktop, you are basically taking all x amount of recycling bins (in our example 12) and viewing them all in one place with no indication of which recycling bin the files exist in.

Below is an example where I have made Pictures and Music have their own redirection and "Videos" follows the Documents folder.


So even though I have one view, the files are actually stored in a completely different locations.

Locations

So lets say you map a drive the P:\ drive to the client.  This P:\ drive is their personal drive.  This drive is a unc path of: 

\\file-server-01\studentsdrives\%username%\documents. 

The Recycling Bin will be found by adding $recycle.bin to the end of that unc path.  

Following from my example above I see:



Notice now in my "Documents" recycling bin I have lost the Music and Pictures files.  This is because they reside in a different recycling bin:

  • \\file-server-01\studentsdrives\%username%\Music\$Recycle.Bin 
  • \\file-server-01\studentsdrives\%username%\Pictures\$Recycle.bin

So what does this mean for me?

You are an IT Admin and you damn well know people store stuff in their recycling bin and don't delete it.  Now if they do this, then you could have large files that are pending deletion sitting on your server as every redirected folder has their own recycling bins.

I found that a student.. copied a DVD to his "My Videos" file (3.2GB), watched the DVD and then deleted the file.  To him, the file was deleted.  To the Server, it was still there in his Recycling Bin. Even though the My Documents Recycling bin was limited in size, his My Videos Recycling bin has its own size limit and as a result he ended up with a total of 11GB of deleted files when we calculated the combined total of his recycling bin. 

That was one student.. . In high schools with over 1k in student numbers, this is a massive drain on server resources, naturally it justifies the nice new SAN system you want, but schools don't have much money anymore, they never did to begin with and it is just getting worse. 

So how to I manage it?

Well this is the tricky bit now, because there is no pre-set GPO to deal with this.

The easiest way is to use File/Folder Quota Management.  Each recycling bin is set to use a percentage of the allocated size of the allowed disk, but this depends on your folder structures and redirection as you can say your personal folders are only allowed 10GB but your profile folders might be in a different location and you need to then set quotas for those as well. 

Customized GPO


I took the liberty to create a GPO that will enable you to disable and/or specify sizes for each individual redirected folder recycling bin.  

I have tested this with Windows 7 and have confirmed the settings for higher versions.


You can completely disable the redirected folder recycling bin (above)


Or you can specify the size of each redirected folder's recycle bin.


If you right click on your recycling bin on your client computer,  you will find where these settings will apply:


For each recycling bin you either set it so it doesn't move the files to the recycling bin and just deletes them with immediate effect or alternatively you can set the size in MB within the policy. 

For example, I have had my Pictures, Videos and Music to follow the documents folder, I have set, using my GP Objects to limit the documents recycle bin to 3GB and have disabled every other recycling bin.

If they deleted an item from their downloads folder by accident, I can recover it anyway using shadow copy. 

This is how I solved it and if anyone else if having these issues, buy all means try my policies.  The alternative way is to manually alter the registry for each redirected folder, but that made up about 12 preferences which I could do without. Looks messy. 

Hope this helps some out there. 

Regards, 

Wednesday, 16 July 2014

Assigning Office 365 options to users (Basic)


I have recently been working with a school who have signed up to Microsoft’s OVS-ES service, as a part of this they are entitled to apply for Student Advantage licenses which will allow pupils to download and install an up to date version of Office on up to 5 devices at home. In order to access this feature the school need to sign up for an Office 365 account and to use the A2 (Free) service.
Administrators can apply licenses to staff and pupils through a website, however this only allows you to modify a limited number of users at a time but Microsoft have been generous and provided a means of automating some of these processes using PowerShell.
In order to accomplish this you will require the Windows Azure Components installed on your computer, once these are installed you will be able to use PowerShell to connect and work with your Office 365 service.
The script below is an example of PowerShell code which will allow you to apply a license to users within a certain department (AD Attribute), once this license has been applied any restrictions you wish on the services within the license are added.
This script could be amended to work with Pupil users by editing the License used and the Department searched for, however the script is very basic and will not take into account any users who may have conflicting entries to those you set, I have not tested this scenario.
I will follow up on this basic post with a more comprehensive one which will allow you to pick the department and license you wish to apply based on basic text menu’s presented in the shell but for now this will give you something to be going on with.
1 ################################################################################### 2 # Marc Hundley 3 # 4 # Version 0.1 5 # 6 # 16/07/2014 7 # 8 # Purpose : Allocating with restrictions access for Staff to the O365 tools online 9 ################################################################################### 10 #11 # Requirements 12 # ------------ 13 #14 # Windows Azure Components 15 # Office 365 online account 16 #17 ###### 18 #19 # Suitable amount of licenses to allocate to staff 20 #21 ###### 22 #23 # Knowledge of TENANT_ID - can be obtained by using the following commands : 24 #25 # import-module MSOnline 26 # $msolcred = Get-Credential 27 # Connect-MsolService -Credential $msolcred 28 # $licenses = Get-MsolAccountSku 29 # $licenses 30 #31 # This will give you all of the available licenses, the TENANT_ID will be the 32 # common factor before the : 33 #34 ###### 35 #36 # Edit the -DisabledPlans entry depending on the needs of the customer, these 37 # can be obtained with the command : 38 #39 # import-module MSOnline 40 # $msolcred = Get-Credential 41 # Connect-MsolService -Credential $msolcred 42 # $licenses = Get-MsolAccountSku 43 # $licenses[x].ServiceStatus 44 #45 # Where [x] is the license you wish to view (array starting at 0) 46 #47 # Options for the STANDARDWOFFPACK_FACULTY are as follows 48 #49 # YAMMER_EDU 50 # SHAREPOINTWAC_EDU 51 # MCOSTANDARD 52 # SHAREPOINTSTANDARD_EDU 53 # EXCHANGE_S_STANDARD 54 #55 ###### 56 #57 # Staff members are to be members of the Staff department in Active Directory 58 # which has synchronised with Office 365 59 #60 ################################################################################### 61 62 #Import O365 Azure module 63 import-module MSOnline64 #Clear Screen 65 cls66 67 #Connect to Office 365 with admin credentials 68 $msolcred = Get-Credential69 Connect-MsolService -Credential $msolcred 70 71 #get users 72 $users = Get-MsolUser -Department "Staff" -MaxResults 2500 73 74 #Assign faculty pack exclusions to variable (edit disabledplans as needed by customer) 75 $myO365Sku = New-MsolLicenseOptions -AccountSkuId <TENANT_ID>:STANDARDWOFFPACK_FACULTY -DisabledPlans EXCHANGE_S_STANDARD76 77 #Assign components for each user 78 foreach ($user in $users) {79 $username = $user.UserPrincipalName80 write-Host "Assigning License for "$username 81 #Add Overall license (required before setting restrictions) 82 Set-MsolUserLicense -UserPrincipalName $username -AddLicenses <TENANT_ID>:STANDARDWOFFPACK_FACULTY83 #Assign exclusions 84 Set-MsolUserLicense -UserPrincipalName $username -LicenseOptions $myO365Sku 85 }

Tuesday, 15 July 2014

Unable to use Keyboard with VMware Player or vSphere

Been a while since I've posted, but this one I've wasted a day or two trying to resolve and couldn't find any information anywhere.

Issue: VMWare vSphere or Workstation accepting mouse input, but not keyboard input.

Cause: Windows update KB2973201 - A security update for tablet features, unnecessary for most users.

Workaround: Uninstall the update. Hide in windows updates to prevent reinstalling.

Fix: TBA

Thursday, 3 July 2014

Change Default Printer Settings from 2 sided to 1 sided on 10.9

Annoyingly when you add certain drivers to a Mac, the default may say 1-sided but the pages still print as 2-sided. This can cause much frustration and although you can create presets, there is no way to actually change the default through those settings. However by following these few steps you can change the default settings. Please bear in mind, this only changes the default on the computer you are working on. If you have a Mac Server where the printer sits, then run these steps on that and it should set it all as default:

Annoyingly again on 10.9, access to the CUPS page is blocked, it is almost like Apple don't want to change anything these days. To enable it, open Terminal (Go to spotlight and search for it) and type "sudo cupsctl WebInterface=yes" (without the quotation marks). You will need to enter the admin password when prompted.

Open a browser and in the address bar enter “localhost:631”

   

With the CUPS web page open, select the Printers tab and the printer you want to edit. In this case I select the Konica.


Then on the drop down menu titled “Administration” , change to "Set Default Options".


This will show a new page with some new headings (links).


In this case select Finishing Options. Scroll down the list until you see Print type. Change it from 2 Sided to 1 Sided.


Then scroll down the page until you see the Set Default Options button.


Click on this button to save the change. You will then be prompted to authenticate to CUPS.



Enter the account name and password of the Mac user, it needs to be an admin account. And then press the Log In button. You should then get a confirmation.











Friday, 27 June 2014

DNS Cleanup - Setup Scavenging - Properly

Importance of DNS

DNS is arguably the most important aspect of any network.

Incorrect setup, errors and old records can significantly affect performance and since a lot of third party applications such as antiviruses, remote support use it,  as well as all windows server roles and system center products it is fairly important.

If DNS fails, everything else will.  Trust me, trust all IT Admins, when it goes down, brown trousers are a guarantee.

Multiple ISPs, I know for one Ja.net, do offer backup name servers and automatic fail-over, so in the event that your DNS does fail, at least you know you have an offsite copy somewhere. Janet DNS Services

Is there something wrong with mine?

Now if you work in a single establishment and have performed multiple migrations of your network, I can guarantee (since you are reading this) you probably looked at your DNS and realise.. wait there are machines in here which haven't existed for years.. why haven't they gone.  Scavenging is set.

This also applies for new networks as well which have been going for a couple years or so.  It doesn't take long for a network to get quite dirty.

You gotta love GUI...not.  This is why we should all be on Core editions people! If you are a Doctor Who fan, you know the Doctor Lies, a GUI lies to.

Yes you have a tick box and yes you've specified the day to scavenge records, but have you also noticed that when you scavenge manually.. they still stay there.. now isn't that just weird.

Is there something wrong with your DNS, well no, because your network is working, but yes because it isn't working as well as it could be.

Lets Tidy Up.

Active Directory Domain Services

First and foremost since you are doing all this cleaning, it might be worth just re-looking at your Active Directory.

At my college, yes I have a accurate asset register, but there is that part of me thinking, is it possible that this random computer is still being used by someone.  Why is it in AD if it isnt?

If unsure, disable it and wait for the phone to ring, enabling it takes all of 5 seconds to fix the issue.  Cleaning up AD can make your life so much easier as when running through the DNS records you can then say, hand on heart, that machine shouldn't be in there, it doesn't exist anymore.

After a set period of time (48hours to 2 weeks), if you can say well no one has called and all staff full time and part time have been in since then, then you can delete it properly from Active Directory.  I genuinely disabled about 40 machines when I first started here.  How else am I going to find out?  People are quick to report issues when they can't login, plus makes you feel in control, they need to be reminded of this. :)

DNS

Now you can say AD is up to date and accurate, lets start sorting out DNS.

You will need to perform the following actions on every DNS server in your organisation, don't listen to the myths of it replicating, thats Microsoft pretending that everything is perfect.  When it comes to settings, just pretend nothing like that works and manually check.  Sometimes it does replicate and i'm sure the settings do after X amount of time, but I haven't got time to sit with fingers crossed.

Saying that, there is a moment, where you just need to wait, some things cannot be rushed.. Trust me on this.

Regardless if you use RSAT or login to your server remotely/directly, you need to open DNS (shock)

Add in ALL your DNS Servers, so you can just do it all from one place.

Right click your first server and choose Set Aging/Scavenging for All Zones.



On the Menu, choose the tick box and set a time for your scavenging, best practice is 7 days.  For a school I like 5. (I did this on a Monday, so now mine refreshes the weekend).


Press Ok.

Right click the server again and choose properties.

On the Advanced Tab, ensure "Enable automatic Scavenging of Stale Records" is ticked and you specify the identical number of days you specified above.


Press Ok. 

Right, open up forward lookup zones, choose your domain, right click Properties.


Choose the aging button on the General Tab.



Set this to the same time as what you have done before.

*this is not best best practice and in a very large enterprise environment, you wouldn't set these times all the same (hence why it isn't set from the top level).  In a school single forest, single site, hell even a double site, this is not going to cause any problems. University level, maybe you need to plan this out a bit more, but at that level frankly if your technicians and administrators have a bad DNS then what the hell are you doing. 

Press Ok to the Aging and press ok to the properties menu.

If you have a second DNS Server then do all the process again for your second one.

If you have more than 2 DNS Servers however, do the complete opposite. Turn OFF DNS scavenging in every menu specified above. In this case it is best to have one server handling all the scavenging.

Command Line Stuff

Login to your primary DNS Server.

If you have two DNS Servers:

Go to CMD as Administrator

Type in DNSCmd . /ZoneResetScavengeServers [Domain] [DNSServerIP] [SecondDNSServerIP]

e.g. DNSCmd . /ZoneResetScavengeServers contoso.local 192.168.10.10 192.168.10.11

If you have more than two DNS Servers, ensure all servers, except your primary, have scavenging turned off and type in the same command minus the [SecondDNSServerIP]. So.

DNSCmd . /ZoneResetScavengeServers contoso.local 192.168.10.10

What will happen now

New scavenge servers:
        Ptr          = bunchofnumbers
        MaxCount     = 2
        AddrCount    = 2
        server[0] => gobbledeegook, addr=192.168.10.10
        server[1] => gobbledeegook, addr=192.168.10.11

Reset scavenging servers on zone [domain] successfully.


Command completed successfully.

You will notice that once you have typed in what you need to the list of scavenging servers is now setup successfully. You might have 2 in the list, or just 1 depending on your setup.

The waiting game begins.

Patience

This will take several weeks to finally sort itself out.  The reason being is that machines that joined before you set this all up are setup on a different timestamps to what you specified as well as other things as well and other than manually deleting them, just hold fire and wait.

After a few weeks you'll begin to notice that your scavenging is actually working now.  No odd devices are appearing in your DNS.

Roles such as WSUS will begin to actually clean itself up when you click clean, things like system center client deployments will work much faster.  Antivirus logs become more accurate, server resolution is significantly quicker and the clients will begin to notice some speed improvements, though they won't ever say anything.  Login times usually improve as well and you'll probably find that group policies that are set but haven't applied correctly start to apply oh and DFS begins to love you again.

I hope this blog has helped out a lot of people out there, I know my life became so much easier once I got the DNS stuff out the way. My DNS is neat, my AD is neat and there is no sign of old devices from previous migrations.  Ready for the future.


Thanks for reading!

Friday, 11 April 2014

Open File Security Warning - Complete Resolution

This is one of the most popular topics on the web, its absolutely crazy how many people have been involved in discussions about it.

Welcome to our version on Thoughts of Primary School Tech, ironically with me, a college tech (and manager I might add), my my we have moved one since we first starting blogging on here.

Lets sort the questions out once and for all and get some pictures involved.  None of this, "just add it to gpo" generic responses, or "that is trusted zone, just add it there", nothing more annoying when someone posts up a solution in their own language and you have no clue how to solve the problem.

The Policies

First lets bring up a picture, we all understand pictures.


For those with visual difficulty, this picture shows a side by side comparison of the Server 2012 group policy which affects the 4 security zones found on the security tab in Explorer.

In Group Policy this is found in the following location:

Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List.

On the Client machine the security page is found by going to:

In go to Tools (Alt+X), then go to Internet Settings.  Choose the Security Tab.

Now even though we are playing within Internet explorer settings, you should know windows well enough to know that a window that shows your files is using the Explorer.exe process. Just because these settings live in internet explorer, doesn't mean they do not affect the settings within the rest of the operating system.  This is a big reason to why removing internet explorer is almost impossible without breaking something else, it is part of the operating system and the settings affect the system as well.

Drive Mappings

Right a mapped drive defined by either a script or preferences is just putting a friendly look on what would would be an UNC path which non technical folk, bless them, would never understand.

The mapped R:\ drive for example, would actually be the location \\Servername\sharename\resources but we cannot expect our users to know this, so we just say it's the R:\ drive.  Simple.

Now you can map this location in five potential (realistic) ways.


  • You map it based on the NETBIOS name of the server, so lets say our server is called File-SVR-01, so the map would look like \\File-SVR-01\Sharename\resources.
  • You can map it based on the server's IP address so: \\192.168.10.4\Sharename\resources
  • You can map it based on an alias of your server so: \\Files\Sharename\resources
  • You can map it based off a DFS namespace so: \\domain.local\NS\Sharename\resources
  • You can map it based off the full FQDN of the file server so: \\File-SVR-01.domain.local\Sharename\resources

There are probably plenty of others, especially we get SANS involved, but I feel for the majority of us, these five should be the most common ways.

Now I know that stuff like using NETBIOS or the FQDN are essentially the same, and yes in all intensive purposes you would be correct, but for this file security warning we suffer on a daily basis it can matter in which method you used.  Consistency is important when mapping drives, if you use the FQDN, then you must use it for every share, do not cut corners here or you can get some unexpected results. 

Fix the problem

Lets fix the problem on one machine first, prove the fix and just get rid of that open file security warning once and for all. I do not want you to start deploying out policies you might not have full understanding of because whats the point if you do not learn anything from it.  

Get on a machine, login, ideally you need to be on an account that has permission to alter the internet explorer security settings, so domain administrator on a machine in a different OU unrestricted by policies. You need to have mapped drives however to test.

Find a .exe file in the mapped drive and attempt to use it.  It should not run immediately and you get the famous:


Open Security File Warning

Notice that even as an administrator, this still appears.

Notice at the bottom the warning you receive, this is important

"While files from the internet can be useful, this file type can potentially harm your computer.  Only run software from publishers you trust"

This is the error we would like to see, as this entire topic is based on this particular one.  The following two errors are different problems:

User Account Control Error
  













Fix found here: Turn off UAC via GPO

Digital Signature Error



Now that you understand the differences between the three errors above, lets assume you have got the first error screen the one specifying it is a file from the internet and poses a security risk.

Now you know that the file is not from the internet and is from your local network, you know this because you know your mapped drive is a server location. So now you need to add your server to your intranet zone, not trusted zone, not restricted, not internet zone, your intranet zone. 

This is important as there are a lot of people out there that are all like, stick it in your trusted zones, this can actually cause you more headache sometimes. The reason being is because in all server versions with the exception of 2008R2 and above, the trusted zone would of actually worked.  

Weird right?  I never tested this theory but apparently after endless searches and realization of the pattern, everyone who has this problem on 2008 or lower, resolved it, yet those that have 2008R2 or higher, said it doesn't, so I have to make that connection there.  Might not be true, but I never said I was honest. 

The reason being is that trusted sites does not turn off prompts, intranet does. 


Before we even touch server side, lets make it work on one machine, then we know what to type in on the server, as the server does not have any validation of the information you type into it, meaning you might attempt to force incorrect keys onto your clients, which is not good and causes errors, these errors will be explained at the end of this post.

Go to: In IE ->  Tools (Alt+X) -> Internet Settings ->  Security Tab -> Local Intranet -> Sites -> Advanced

Type in *.domain.local  (filling in domain.local with the full name of your domain).

If you do not type it in correctly, you will be presented with this error:


This error explains the syntax that can be put in this setting.  If you do not meet the syntax requirements, it tells you about it. However, if you type the incorrect syntax on the sever, it will still accept it. This is why we do it on the client first, once we do it right here, we know exactly what to type on the server.

After you have typed in your wildcard domain, press ok and exit out of Internet explorer. 

Now try to open your .exe you tried before and hopefully the security file type will vanish.  You have successfully found the fix for the problem and can move to the Server Side Policies.  

Continue Only if the security file prompt still appears, if it has vanished, go to the server side settings.

If it is still not working, then continue.

Now go back to the same advanced menu and remove the *.domain.local setting, since we know it does not work with just this, there is no point in it now.  

Now the reason this wouldn't work is most likely because of the way you are mapping your drives, if your drives are not being mapped with a Netbios or FQDN name, then this would the reason for it.  If you map using IP Addresses, then this is a common reason for the failure.

So this time in the advanced menu you must put the IP Addresses of your file server(s) and if you want the entire scope to treat the entire domain as intranet. 

Remember the syntax and no /24 /23 subnets do not qualify.  


The trick now is trial and error and requires you to make some decisions.  I do not know your network and frankly would confused you if I started recommending some things.  Try different combinations.  The benefit however is that you know when you type something in, it is valid if it accepts it and is invalid if it doesn't, take advantage of this validation as the server does not give you this luxury.  

Eventually you will find that it accepts something and as you test the .exe from the mapped location, bang, the .exe starts to run without the warning, at this point cheer!  Remember the setting, the exact setting remember the syntax like it was your own name. Lets move to the server now.

IMPORTANT - Remember this setting, it is your fix and you need to type it in on the server. 

Server Side
  • Go to your primary domain controller
  • Open up group policy management.
  • Go to: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page

  • In here I have manually enabled the following policies:
    • Intranet Sites: Include all local (intranet) sites not listed in other zones
    • Intranet Sites: Include all sites that bypass the proxy server
    • Intranet Sites: Include all network paths (UNCs)
  • I have disabled
    • Turn on automatic detection of intranet
These polices affect the settings in the Local Intranet window found by going to:

In IE ->  Tools (Alt+X) -> Internet Settings ->  Security Tab -> Local Intranet -> Sites


Applying the policies above will grey out and prevent change in this area. 

Now Site to Zone Assignment policy (below) will affect everything within the Advanced menu from here, as you can see the "advanced" button above.

Site to Zone Assignment

This is the advanced menu where the settings will appear.

The setting will not appear if you do not specify the value of "1" to the value name (see next image)














Within this policy you can specify the security zones for your intranet.

Values are:

1. Intranet Zone
2. Trusted Site Zone
3. Internet Zone
4. Restricted Zone

To prevent file security windows appearing when opening up a certain file type from a mapped drive, you must know how your mapped drive is mapped first.  The setting you discovered by following this document will be the setting you need to deploy out.

So type in your setting e.g. *.domain.local in the Value name field and type in 1 in the value field.

Now remember that Validation error:



This will not happen if you make a mistake here, the server will accept it regardless of if it is right or not. This is bad and should not be done.

Gpupdate and RESTART your client machines once you have put in the setting and applied it in group policy.

Open up a client affected by the policy, go to the advanced menu in Internet explorer intranet settings and see if your policy has applied.

Try and open a .exe as a restricted user and by magic, your file security warnings now vanish as if they were never a problem.  Such a pain in the backside, but all this work is worth it, especially if you use software that when updated server side runs .exes when loading up client side.


Known Errors

If you find other errors that relate to this, please tell us in comments, the longer the list the easier it is for those struggling to find this blog.

Error 1
Windows failed to apply the Internet Explorer Zonemapping settings.  Internet Explorer Zonemapping settings might have its own log file. Please click on the "More information" link.

Cause
You've typed something in wrong in the Site-to-Zone Assignment policy that does not meet the requirements of the syntax.

Resolution
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment

Stick to the recommended syntax sequence, below is an image showing examples of the correct sequences supported by Windows.