[Mozilla Enterprise] GPO setting lists are not appending

Copus, Scott scott.copus at wku.edu
Thu Aug 8 21:41:06 UTC 2019 

Mike, Valtori,

I don’t think I’m aware of any 3rd party GPO admin templates that have settings that can be merged/appended across multiple links like parent/child OUs.  It’s possible it may natively exist though, I’m just not aware of something that works that way with admin templates.  I assume it exists for non-admin template GPO settings… like the IE site-to-zone assignment lists that Valtori mentioned.  Getting multi-value GPO settings and nested OUs to “merge” settings seems to always be a pain point for our team.  We typically have organizational GPOs with settings that are ‘site-wide’.  If any department or specific location (OU) then wants “extra” multi-value settings appended, we typically clone the parent GPO and just add to the child GPO.  This works fine most of the time until we need to add more values to a multi-value setting.  In this case we need to revisit all those cloned child GPOs and adjust those accordingly too.

As a workaround, I guess it’s possible to create “extra” GPO settings that Firefox can choose to internally merge/append (or replace) itself.  Such as:
Mozilla-->Firefox-->Popups-->Allowed Sites (popup URL string list)
Mozilla-->Firefox-->Popups-->Allowed Sites_2 (popup URL string list)
Mozilla-->Firefox-->Popups-->Allowed Sites_2_ReplaceMode:
                Not Configured/Disabled:  Defaults to MERGE with “Allowed Sites” above
                Enabled:  REPLACE “Allowed Sites”
Mozilla-->Firefox-->Popups-->Allowed Sites_3 (popup URL string list)
Mozilla-->Firefox-->Popups-->Allowed Sites_3_ReplaceMode
                Not Configured/Disabled:  Defaults to MERGE with “Allowed Sites”, “Allowed Sites_2”
                Enabled:  REPLACE “Allowed Sites” and/or “Allowed Sites_2”

It’s messy but should work.  If this road gets traveled, I’m just not sure how many “levels” any multi-value settings should have.  In the example above, it’s just the main setting plus two additional.  A 2-deep setting would probably suffice for us, but maybe an extra 3rd (or more) could be useful to others?

--
Scott Copus, Desktop Support Systems Engineer
Information Technology Services | Western Kentucky University
https://www.wku.edu/its

From: Enterprise [mailto:enterprise-bounces at mozilla.org] On Behalf Of Mike Kaply
Sent: Thursday, August 08, 2019 11:41 AM
To: Valtori OTTK Elinkaaripalvelut <elinkaaripalvelut.ottk at valtori.fi>
Cc: enterprise at mozilla.org
Subject: Re: [Mozilla Enterprise] GPO setting lists are not appending

** This message originated from outside WKU. Always use caution following links. **
I'm not sure what we would be doing to affect this.

I just did a quick check with machine and user policies on Chrome, and policies aren't combined/appended, machine replaces user.

I'm not sure how this should work with OUs.

If anyone has any ideas about this, I would appreciate it.

Mike

On Thu, Aug 8, 2019 at 7:48 AM Valtori OTTK Elinkaaripalvelut <elinkaaripalvelut.ottk at valtori.fi<mailto:elinkaaripalvelut.ottk at valtori.fi>> wrote:
Hello

Have anyone noticed that if two GPOs have for example NTLM list , only list of last processed GPO applies?

Makes managing in OU level bit hard. Top level GPO settings have to be copied to sub level GPO settings, if customer wants own trust and every sub level GPO have to be updated if top level GPO is updated. Not familiar with ADMX-files but at least Internet Explorer Site-to-zone settings are appending.

Thanks
- Miika Sorvisto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20190808/770487ac/attachment.html>

More information about the Enterprise mailing list