Internet explorer zonemapping gpo ошибка - Oshibku.top - решение и исправление самых разных ошибок

Обновлено 25.11.2019

Добрый день! Уважаемые читатели и гости крупного IT блога Pyatilistnik.org. В прошлый раз мы с вами научились узнавать IP-адрес у различных операционных систем. Сегодняшняя публикация снова будет посвящена терминальным столам и RDS фермам, на которых вы можете встретить ошибку групповой политики с кодом события ID 1085, где не удалось применить параметры Internet Explorer Zonemapping. Давайте разбираться, что это такое и для чего необходимо, а главное, как поправить, чтобы ошибка не появлялась.

Что такое Internet Explorer Zonemapping

Internet Explorer Zonemapping — это зоны безопасности в браузере Internet Explorer, которые используются для понимания уровня отношения к тому или иному сайту. Этот параметр политики позволяет управлять списком сайтов, которые вы хотите связать с определенной зоной безопасности. Эти номера зон имеют соответствующие параметры безопасности, которые применяются ко всем сайтам в зоне.

Internet Explorer имеет 4 зоны безопасности, пронумерованные от 1 до 4, и они используются этим параметром политики для привязки сайтов к зонам.

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Параметры безопасности могут быть установлены для каждой из этих зон с помощью других параметров политики, и их параметры по умолчанию: зона надежных сайтов (низкий уровень), зона интрасети (средний-низкий уровень), интернет-зона (средний уровень) и зона ограниченных сайтов ( Высокий уровень). (Зона «Локальный компьютер» и ее заблокированный эквивалент имеют специальные параметры безопасности, защищающие ваш локальный компьютер.)

Если вы включите этот параметр политики, вы можете ввести список сайтов и номера соответствующих зон. Связывание сайта с зоной гарантирует, что параметры безопасности для указанной зоны будут применены к сайту. Для каждой записи, которую вы добавляете в список, введите следующую информацию, это имя сайта и номер зоны. Если вы настраиваете это список через групповые политики и делаете ошибку в синтаксисе ее заполнения, то вы легко можете у себя в системе, в моем случае на RDS ферме встречать предупреждение:

Источник Group Policy. Код события ID 1085. Windows не удалось применить параметры «Internet Explorer Zonemapping». Параметры «Internet Explorer Zonemapping» могут иметь свой собственный файл журнала. Щелкните ссылку «Дополнительные сведения». ( Description: Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file)

Первым делом необходимо понять, какая групповая политика изменяет данную настройку. Для этого вам необходимо открыть журнал событий Windows и перейти в журнал Microsoft-Windows-GroupPolicy, напоминаю, что мы его уже использовали при долго висящей политике Microsoft Disk Quota. Открыв журнал Microsoft-Windows-GroupPolicy-Operational найдите там событие с кодом 4016.

Код события 4016. Запуск обработки расширения Internet Explorer Zonemapping. Список применимых объектов групповой политики: (Изменения обнаружены.) Имя объекта GPO

Обратите внимание, что тут сразу пишется в каком объекте групповой политики находится данная настройка. Если хотите перепроверить и найти ее по GUID, то выберите вкладку «Подробности». Тут вы увидите GUID расширения, имя GPO и GUID, который кстати можете поискать.

Так же отфильтровав журнал вы можете обнаружить ошибку с кодом 7016:

Ошибка с кодом 7016. Завершена обработка расширения Internet Explorer Zonemapping за 31 мс.

Забыл отметить, что если посмотреть в ошибке 1085 на вкладке «Подробности» на поле ErrorDescription, то там увидите ошибку в виде «Недопустимых данных«. Это означает, что у вас неправильные записи в данной политики.

Правильная настройка политики Internet Explorer Zonemapping

Чтобы ваши журналы не забивались ошибками с кодом 1085 необходимо правильно настроить групповую политику или локальные настройки Internet Explorer. Откройте оснастку управление групповой политикой (gpmc.msc). Перейдите к изменений той групповой политики, через которую у вас настраиваются списки сайтов для зон internet Explorer. Найдите политику:

Конфигурация компьютера — Административные шаблоны — Компоненты Windows — Internet Explorer — Панель управления браузером — Вкладка безопасность — Список назначений зоны для веб-сайтов (Administrative Templates > Windows Components > Internet Explorer> Internet Control Panel > Security Page > Site to Zone Assignment List)

Включаем политику «Список назначений зоны для веб-сайтов» и нажимаем кнопку «Показать». У вас появится окно редактора в котором нужно писать адрес сайта и номер зоны, напомню еще раз цифры соответствующие зонам:

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

При вводе данных в редакторе групповой политики нет ни синтаксиса, ни логической проверки ошибок. Затем это выполняется на самом клиенте, когда расширение групповой политики «Internet Explorer Zonemapping» преобразует реестр в формат, который использует сам Internet Explorer. Во время этого преобразования реализуются те же методы, которые используются Internet Explorer при добавлении сайта вручную в определенную зону безопасности. Если запись будет отклонена при добавлении вручную, преобразование также будет неудачным, если используется групповая политика и будет выдано событие 1085 . Подстановочные знаки для доменов верхнего уровня (TLD). Одним из сценариев, который отклоняется при добавлении сайтов, является добавление подстановочного знака в TLD (например, * .com или * .co.uk). Теперь вопрос в том, какие записи рассматриваются как TLD;, ниже я приведу рабочие варианты.

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

*://*.pyatilistnik.org – Работает
http://*.pyatilistnik.org – Работает
*://pyatilistnik.org – Работает
ftp://192.168.0.0/ – Работает
https://pyatilistnik.org/ – Работает
192-193.0.0.0 Работает.
192-193.1-10.0.0 Работает
192-193.1-10.20-30.0 Работает
192-193.1-10.20-30.40-50 Работает

Далее открываете на клиенте командную строку и вводите gpupdate /force, чтобы обновить политику. Если вы все сделали правильно и у вас нет ошибок в синтаксисе написания сайтов Internet Explorer Zonemapping, то вы увидите, что политики отработали корректно.

Если есть ошибки в синтаксисе, то увидите вот такую картину:

При обработке политики пользователя возвращены следующие предупреждения: Клиентскому расширению «Folder Redirection» групповой политики не удалось применить один или несколько параметров, поскольку эти изменения должны обрабатываться до запуска системы или до входа пользователя. Завершение обработки групповой политики будет выполнено перед следующим запуском системы или входом этого пользователя, что может вызвать замедление загрузки и запуска системы. Windows не удалось применить параметры «Internet Explorer Zonemapping». Параметры «Internet Explorer Zonemapping» могут иметь свой собственный файл журнала. Щелкните ссылку «Дополнительные сведения».

так же показателем, того что есть проблемы, это отсутствие вашего сайта в зонах Internet Explorer. Если в списке нет каких-то сайтов, то для вас это сигнал, где искать ошибку.

Редактирование Internet Explorer Zonemapping через реестр Windows

Я вам не перестаю повторять, что групповая политика меняет просто ключи реестра Windows на нужном объекте.

Для пользователя — HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ создаем тут ключ REG_DWORD с нужным значением зоны IE
Для компьютера —
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ создаем тут ключ REG_DWORD с нужным значением зоны IE

Для включения галки «Для всех сайтов зоны требуется проверка подлинности серверов (https)» необходимо создать запись REG_DWORD с именем Flags и значением 71 вместо 67 по пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\
Если вы хотите добавить диапазон IP адресов, тогда нужно добавлять 2 параметра. По пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE) \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\local. Создать запись типа REG_SZ с Value name — :Range и Value Data – 192.168.1.0-254 и в SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\local запись REG_DWORD с Value name — * (или нужный вам протокол) и Value Data – 1 (номер зоны)

На этом у меня все. С вами был Иван Семин, автор и создатель IT блога Pyatilistnik.org.

Дополнительные материалы

https://blogs.msdn.microsoft.com/askie/2016/04/05/description-of-event-id-1085-from-internet-explorer-zonemapping/
https://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/

Источник

Всем привет!

При обновлении групповой политики получаем следующее предупреждение в консоли, в том числе и в журнал.

Windows не удалось применить параметры «Internet Explorer Zonemapping». Параметры «Internet Explorer Zonemapping» могут
иметь свой собственный файл журнала. Щелкните ссылку «Дополнительные сведения».

Суть — используется повышенная безопасность, часть необходимых сайтов помещается в надежные сайты без возможности правки пользователем.

Данные сайты вводим через административные шаблоны групповых политик в Политике домена по умолчанию по формату Microsoft

* :/ / *. Microsoft.com

При явном прописании протокола ошибка пропадает, но это не совсем удобно когда необходимо охватить ряд протоколов.

Политика применяется и работает в любом случае, но хотелось бы победить данный нюанс.

Домен построен на Windows server 2012, но проблема тянется еще с Windows Server 2008

Источник

Обновлено 25.11.2019

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Так же отфильтровав журнал вы можете обнаружить ошибку с кодом 7016:

Ошибка с кодом 7016. Завершена обработка расширения Internet Explorer Zonemapping за 31 мс.

Правильная настройка политики Internet Explorer Zonemapping

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

*://*.pyatilistnik.org – Работает
http://*.pyatilistnik.org – Работает
*://pyatilistnik.org – Работает
ftp://192.168.0.0/ – Работает
https://pyatilistnik.org/ – Работает
192-193.0.0.0 Работает.
192-193.1-10.0.0 Работает
192-193.1-10.20-30.0 Работает
192-193.1-10.20-30.40-50 Работает

Если есть ошибки в синтаксисе, то увидите вот такую картину:

Редактирование Internet Explorer Zonemapping через реестр Windows

Я вам не перестаю повторять, что групповая политика меняет просто ключи реестра Windows на нужном объекте.

Для пользователя — HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE
Для компьютера —
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE

Для включения галки «Для всех сайтов зоны требуется проверка подлинности серверов (https)» необходимо создать запись REG_DWORD с именем Flags и значением 71 вместо 67 по пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE)SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1
Если вы хотите добавить диапазон IP адресов, тогда нужно добавлять 2 параметра. По пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE) SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal. Создать запись типа REG_SZ с Value name — :Range и Value Data – 192.168.1.0-254 и в SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal запись REG_DWORD с Value name — * (или нужный вам протокол) и Value Data – 1 (номер зоны)

На этом у меня все. С вами был Иван Семин, автор и создатель IT блога Pyatilistnik.org.

Дополнительные материалы

https://blogs.msdn.microsoft.com/askie/2016/04/05/description-of-event-id-1085-from-internet-explorer-zonemapping/
https://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/

One of the nice things about being an independent consultant is the new stuff learned while on projects. I learned some new information about Site to Zone Mapping I wanted to share with you.

[Testing updates are at the bottom of the article. Article last updated 5-Oct-2016.]

A project I worked on recently had users complaining about how long it took to log on and launch their published applications. As is my practice, the first thing I start doing is looking in the event logs. One of the issues I found was this mysterious message in the System event log:

Windows failed to apply the Internet Explorer Zonemapping settings

OK, what group policy did this come from? Is this really a problem? Was this slowing down the logon or application launch?

I did a quick PowerShell script to gather all the 1085 EventIDs from the System event log from their hundreds of XenApp 6.5 servers. What I found was there were many hundreds of these events every day on every XenApp server. Looking at the details, I saw this was causing an issue with logins and application launches.

Figure 1 shows the shortest delay I found.

Figure 1

Figure 2 shows the longest delay I found.

Figure 2

Most of the delays were in the 5 to the 6-second range.

Now to find out what group policy was causing the issue.

The cached copies of profiles are deleted so that I couldn’t run a Resultant Set of Policy on a user’s name or the server. Since I am an outsider with limited account access and limited visibility into Active Directory, I turned to the lab on my laptop. I built a test group policy with a few Site to Zone Mapping entries and saw that the settings were saved in a file called seczones.inf. The next step was to borrow some code that Michael B. Smith wrote for the XenApp 6.5 documentation script that traverses SYSVOL looking for the Citrix group policy file. I slightly modified Michael’s code to look for the seczones.inf file instead of the policies.gpf file.

Here is the code I used to scan SYSVOL, looking for all policies that contain a seczones.inf file.

$pwdpath = $pwd.Path

If($pwdpath.EndsWith(&quot;&quot;))
{
	#remove the trailing 
	$pwdpath = $pwdpath.SubString(0, ($pwdpath.Length - 1))
}
[string]$FileName1 = &quot;$($pwdpath)SecZonePolicies.txt&quot;
$root = [ADSI]&quot;LDAP://RootDSE&quot;
$domainNC = $root.defaultNamingContext.ToString()
$root = $Null
$xArray = @()

$domain = $domainNC.Replace( 'DC=', '' ).Replace( ',', '.' )
Write-Host &quot;$(Get-Date): Searching $($domain)sysvol$($domain)Policies&quot;
$sysvolFiles = @()
$sysvolFiles = dir -Recurse ( '\' + $domain  + 'sysvol' + $domain + 'Policies' ) -EA 0
If($sysvolFiles.Count -eq 0)
{
	Write-Host &quot;$(Get-Date): Search timed out.  Retrying.  Searching \ + $($domain)sysvol$($domain)Policies a second time.&quot;
	$sysvolFiles = dir -Recurse ( '\' + $domain  + 'sysvol' + $domain + 'Policies' ) -EA 0
}

ForEach( $file in $sysvolFiles )
{
	If( -not $file.PSIsContainer )
	{
		#$file.FullName  ### name of the policy file
		If( $file.FullName -like &quot;*UsermicrosoftIEAKBRANDINGZONESseczones.inf&quot; )
		{
			#&quot;have match &quot; + $file.FullName ### name of the Citrix policies file
			$array = $file.FullName.Split( '' )
			If( $array.Length -gt 7 )
			{
				$gp = $array[ 6 ].ToString()
				$gpObject = [ADSI]( &quot;LDAP://&quot; + &quot;CN=&quot; + $gp + &quot;,CN=Policies,CN=System,&quot; + $domainNC )
				$xArray += $gpObject.DisplayName	### name of the group policy object
			}
		}
	}
}

$cnt = 0
If($xArray -is [array])
{
	$cnt = $xArray.Count
	$xArray = $xArray | Sort
}
Else
{
	$cnt = 1
}

Write-Host &quot;$(Get-Date): Output list of $($cnt) policies&quot;
Out-File -FilePath $Filename1 -InputObject $xArray

If(Test-Path &quot;$($FileName1)&quot;)
{
	Write-Host &quot;$(Get-Date): $($FileName1) is ready for use&quot;
}

Running this script produces a sorted list of policies that need further research. Just because a policy folder contains a seczones.inf file does not mean that policy contains Site to Zone Mapping. Now I needed to review every policy to see which ones actually use Site to Zone Mappings. As I reviewed each policy (by looking at the Settings tab for the GPO), I copied the Site to Zone Mappings to Excel. Once all policies had been reviewed, I used Excel to remove all the duplicate entries and sorted the remaining entries.

So what entries were causing the problem? What exactly are valid entries?

I reached out to Group Policy MVP Jeremy Moskovitz (owner of PolicyPak and GPAnswers) for help. He then reached out to a friend of his, Martin Binder, who sent back some useful information. The reply from Martin about what is valid and invalid:

This is a bug in how Windows processes the lists in that policy setting.

The only valid items are:

Valid: [(http|ftp|someotherprotocol|*)://](Host|*).dom.tld
(The protocol spec is optional...)

Everything else is invalid.

*.tld - invalid
www.google.com/maps&amp;nbsp;- invalid
www.bing.*- invalid
*cdn.amazon.com - invalid
*tp://www.policypak.com - invalid
*.*.microsoft.com - invalid

Tip:

In Win10, 2 letter domains like *.co.au or *.co.nz are now allowed. 
These were forbidden in earlier windows versions and threw errors and possibly caused slowdowns.

Being the Sm@rt@$$ that I am, I now had to prove his list and test what now looked like the invalid entries in the customer’s Site to Zone Mappings.

My laptop lab’s domain controller is Server 2012 R2, and the Forest Functional Level is 2012 R2. By this time, the customer had granted me a much higher level of access to do a small test in their 2003 Forest and their 2008 R2 Forest. Results were the same in all three Forests.

I created a test VM, joined the domain, and logged in with local administrator credentials for the tests.

The first thing I did was create a Site to Zone mapping with a known valid entry of https://www.citrix.com/products/receiver.html in zone 2, as shown in Figure 3. [5-April-2021, this is no longer a valid URL]

Figure 3

On my test VM, I ran GPUpdate /force, open Internet Explorer (IE), looked at my Trusted Sites, and my entry was there, as shown in Figure 4.

Figure 4

Next, I wanted to try what looked like an invalid entry from the customer, a URL with no Zone number, as shown in Figure 5.

Figure 5

Figure 6 shows running GPUpdate /force.

Figure 6

So a URL with no Zone number is an invalid entry. Looking at my Trusted Sites shows just the original entry is there, as shown in Figure 7.

Figure 7

Another possible invalid entry from the customer. Notice the * after the .com, as shown in Figure 8.

Figure 8

Figure 9 shows running GPUpdate /force shows that putting an * after the TLD is an invalid entry.

Figure 9

What about a popular entry of putting a port number in the URL, as shown in Figure 10?

Figure 10

Running GPUpdate /force shows success, as shown in Figure 11.

Figure 11

Or is it, as shown in Figure 12?

Figure 12

What happened to the port number? It is not even saved in the registry. So adding a port number is invalid, but the valid data before the port number is saved, as shown in Figure 13.

Figure 13

Now let’s go through the list of invalid entries from Martin.

*.tld, as shown in Figures 14 and 15.

Figure 14

GPUpdate /force shows it is an invalid entry.

Figure 15

Next on the list is www.google.com/maps, as shown in Figures 16 and 17.

Figure 16

GPUpdate /force appears to like what Martin said was an invalid entry.

Figure 17

But Trusted Sites shows anything after the TLD is removed, as shown in Figure 18. Just like with adding a port number, anything after the TLD is just removed.

Figure 18

Next up on the list is www.bing.*, as shown in Figure 19.

Figure 19

I can tell you that GPUpdate /force didn’t like that entry, so I will not bother you with another image.

Next up is *cdn.amazon.com, as shown in Figure 20.

Figure 20

Trust me that is not valid, and neither is tp://www.policypak.com or *..Microsoft.com.

My next question is what happens if you have a mix of valid and invalid entries, as shown in Figure 21.

Figure 21

Obviously, GPUpdate /force is not going to like this, as shown in Figure 22.

Figure 22

But what do my Trusted Sites show, as shown in Figure 23?

Figure 23

Did you notice that the entries in my Trusted Sites do not match the order entered in the policy? It appears Trusted Sites is a sorted list, and all capitalization is removed.

What I would like to see is the Warning in the System event log would give more information. For example, what group policy caused the warning and what mappings are invalid. There is not enough information in the recorded event, as shown in Figures 24 and 25.

Figure 24

Figure 25

What I learned:

Using Site to Zone Mappings is expensive
The more Mappings you use, the more time it takes
If there are any invalid Mapping entries, the time increases even more
All capitalization is removed
The URLs placed into the various Zones are sorted

As I was wrapping this up, I was asked about *://domain.tld. So, of course, I had to test it, as shown in Figures 26 and 27.

Figure 26

Running GPUpdate /force, and it is valid. What shows in Trusted Sites is:

Figure 27

*://CarlWebster.com becomes just *.carlwebster.com.

If you have any other URLs you would like me to test, email me. Webster@carlwebster.com

Thanks for your help, Jeremy and Martin.

Update 5-Mar-2016: Someone asked about the time savings. Suppose we use an average delay of six seconds and add a delay for one logon and one application launch with a total delay of 12 seconds per day per user. If we lowball the number of users to 2000, then that is 24000 seconds lost. 24000 seconds divided by 3600 (the number of seconds in an hour), we get 6.67 hours lost per day. Multiply that by more users and more application launches, we start getting into the real-time loss, which costs real money and cost real productivity.

Update 7-Mar-2016: Someone asked me to test http://10.218.* and it is invalid but http://10.218.. is valid, as shown in Figure 28.

Figure 28

I did my tests on the User Configuration, but you should see the same on the Computer Configuration.

Does this Event ID only get recorded for this warning? To test, I cleared my Application Event Log and ran GPUpdate /force. The only entry now is “Security policy in the Group policy objects has been applied successfully.” In the Group Policy event log, I get the following three events recorded:

Completed Security Extension Processing in 297 milliseconds.
Completed manual processing of policy for computer WEBSTERSLABXA652$ in 1 second.
Next policy processing for WEBSTERSLABXA652$ will be attempted in 99 minutes.

The next question is, does the time it takes for processing Site to Zone Mappings stay the same when all entries are valid as when there are invalid entries? I don’t have enough entries in my lab to know. When I do Change Control for the customer and fix all their Site to Zone mapping policies, I will let you know what I find.

Update #2 7-Mar-2016:

I found the following three articles from Microsoft and will test more patterns.

IInternetSecurityManager::SetZoneMapping method
Problems Adding Top-Level Domains to Zone Sites List
Internet Explorer’s Explicit Security Zone Mappings

Tested the following patterns from the articles:

://.example.com – Valid, becomes .example.com
http://*.contoso.co.uk – Valid
*://server.contoso.com – Valid, becomes server.contoso.com
ftp://192.168.0.0/ – Valid
https://example/ – Valid
file:exampleshare – Invalid even though the first article says it is valid
*://172.16-31.0.0. – Valid becomes 172.16-31.0.0

http://*.server.example.com – Valid even though the first article says it is invalid
ftp://* – Invalid

I then tested file:exampleshare, which shows as Valid but becomes file://example (the share is dropped).

Patterns from the second article that are not in the first article.

ftp://157.54.23.41/ – Valid
file:localsrvshare – Valid but becomes file://localsrv (the share is dropped)
://157.54.100-200. – Valid but becomes 157.54.100-200.*

After seeing the ://172.16-31.0.0. and ://157.54.100-200. examples, I wondered how far that could be taken.

192-193.0.0.0 is Valid.
192-193.1-10.0.0 is Valid
192-193.1-10.20-30.0 is Valid
192-193.1-10.20-30.40-50 is Valid

Update 10-Mar-2016: Martin wrote an article on Internet Explorer site to zone assignments – is it valid and why not? Check it out.

Update 5-Oct-2016: Reader left a comment wanting two tests run. file:1.2.3.4 [with a valid IP address] and file:ComputerName [valid computer name with no domain added].

Figure 29 shows the GPO settings.

Figure 29

I forced replication between my two domain controllers, did a gpupdate /force, and even restarted the servers to make sure. Running gpupdate /force reported no errors, but neither entry appears in the Trusted sites zone, as shown in Figure 30.

Figure 30

Thanks

Webster

Источник

Обновлено 25.11.2019

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Так же отфильтровав журнал вы можете обнаружить ошибку с кодом 7016:

Ошибка с кодом 7016. Завершена обработка расширения Internet Explorer Zonemapping за 31 мс.

Правильная настройка политики Internet Explorer Zonemapping

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

*://*.pyatilistnik.org – Работает
http://*.pyatilistnik.org – Работает
*://pyatilistnik.org – Работает
ftp://192.168.0.0/ – Работает
https://pyatilistnik.org/ – Работает
192-193.0.0.0 Работает.
192-193.1-10.0.0 Работает
192-193.1-10.20-30.0 Работает
192-193.1-10.20-30.40-50 Работает

Если есть ошибки в синтаксисе, то увидите вот такую картину:

Редактирование Internet Explorer Zonemapping через реестр Windows

Я вам не перестаю повторять, что групповая политика меняет просто ключи реестра Windows на нужном объекте.

Для пользователя — HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE
Для компьютера —
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE

Для включения галки «Для всех сайтов зоны требуется проверка подлинности серверов (https)» необходимо создать запись REG_DWORD с именем Flags и значением 71 вместо 67 по пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE)SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1
Если вы хотите добавить диапазон IP адресов, тогда нужно добавлять 2 параметра. По пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE) SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal. Создать запись типа REG_SZ с Value name — :Range и Value Data – 192.168.1.0-254 и в SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal запись REG_DWORD с Value name — * (или нужный вам протокол) и Value Data – 1 (номер зоны)

На этом у меня все. С вами был Иван Семин, автор и создатель IT блога Pyatilistnik.org.

Дополнительные материалы

https://blogs.msdn.microsoft.com/askie/2016/04/05/description-of-event-id-1085-from-internet-explorer-zonemapping/
https://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/

ID 1085, не удалось применить параметры Internet Explorer Zonemapping

Что такое Internet Explorer Zonemapping

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Так же отфильтровав журнал вы можете обнаружить ошибку с кодом 7016:

Правильная настройка политики Internet Explorer Zonemapping

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

*://*.pyatilistnik.org – Работает
http://*.pyatilistnik.org – Работает
*://pyatilistnik.org – Работает
ftp://192.168.0.0/ – Работает
https://pyatilistnik.org/ – Работает
192-193.0.0.0 Работает.
192-193.1-10.0.0 Работает
192-193.1-10.20-30.0 Работает
192-193.1-10.20-30.40-50 Работает

Если есть ошибки в синтаксисе, то увидите вот такую картину:

Редактирование Internet Explorer Zonemapping через реестр Windows

Я вам не перестаю повторять, что групповая политика меняет просто ключи реестра Windows на нужном объекте.

Для пользователя — HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE
Для компьютера —
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE

Для включения галки «Для всех сайтов зоны требуется проверка подлинности серверов (https)» необходимо создать запись REG_DWORD с именем Flags и значением 71 вместо 67 по пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE)SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1
Если вы хотите добавить диапазон IP адресов, тогда нужно добавлять 2 параметра. По пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE) SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal. Создать запись типа REG_SZ с Value name — :Range и Value Data – 192.168.1.0-254 и в SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal запись REG_DWORD с Value name — * (или нужный вам протокол) и Value Data – 1 (номер зоны)

Источник

Windows не удалось применить параметры internet explorer zonemapping

The following forum(s) have migrated to Microsoft Q&A: All English Windows Server forums!
Visit Microsoft Q&A to post new questions.

Answered by:

Question

we are having problems with a certain group policy. We have a rather large environment, and have implemented a while ago, a group policy to centrally manage the Trusted Sites/Local Intranet sites: Windows Components/Internet Explorer/Internet Control Panel/Security Page

The GPO seems to be working well. The sites are recognized as stated in the policy.

Nevertheless, we get an error message in the event viewer:

Error 1085: The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension.

With RSOP.msc I get this result:

Internet Explorer Zonemapping Failed (no data) 28/06/2011 15:33:11 Internet Explorer Zonemapping failed due to the error listed below.

The parameter is incorrect.

I can give you the list of all zone assignments if needed. We allready recreated it.

thanks for you help

Answers

Please take a look at the article. I have implimanted the same in my environment. It works great.

Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Proposed as answer by Arthur_Li Microsoft contingent staff Monday, July 11, 2011 1:41 AM
Marked as answer by Arthur_Li Microsoft contingent staff Thursday, July 14, 2011 1:27 AM

All replies

Please check if the values you typed in are valid.

Examples of invalid values:

Examples of valid values:

For more information, please refer to the following Microsoft TechNet blog:

A test case for troubleshooting group policy application – Event ID 1085 and 7016

If the issue persists, would you please send me more information for analyzing. For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose «Send Files to Microsoft»)

Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between ‘(‘ and ‘)’ when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed.

2. Right click on «Group Policy Result» and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard)

3. Right click the resulting group policy result and click the «Save Report…» => save report and upload it to the link I provided.

Collect the Userenv.log

Subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon

Value data: 0x00030002 (Hexadecimal)

After the issue reoccurs, find and upload %windir%DebugUserModeUserenv.log file.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I have been looking at the entries for 10 times, and I can’t find an invalid value.

I have uploaded both logs to the provided Workspace. Can you please check if something is wrong?

I would like to confirm what is the status of the issue? Have the issue been solved?

If not, please send me the diagnostic report again. It seems that the original log has been removed automatically and I cannot read it in time.

Please take a look at the article. I have implimanted the same in my environment. It works great.

Proposed as answer by Arthur_Li Microsoft contingent staff Monday, July 11, 2011 1:41 AM
Marked as answer by Arthur_Li Microsoft contingent staff Thursday, July 14, 2011 1:27 AM

My GPO enviroment works great but I noticed the same error in event log.

Group Policy is working correctly if the last Group Policy event to appear in
the System event log has one of the following event IDs:

(which I see as end result of processing)

This is because Group Policy uses the information collected during preprocessing to apply
settings to the computer or user. The Group Policy service cycles through each
client-side extension, sharing the previous collected information. Each
client-side extension then applies its specific policy settings to the computer
or users. During this process, one or more client-side extensions may report
problems when attempting to apply policy settings.

So I understand that there is nothing to worry about?

Old thread — Still applicable I believe

Did a bit of testing of adding wildcard sites to IE zones, and found one weird issue, and totally reproducable (at least in a few environments I’ve tested it in) whereby Wildcards used for Trusted sites will fail when applied via GPO in the Site to Zone Assigment List

— You cannot use a wildcard * for any site in the Trusted Sites zone
— You can use wildcards * for any sites in the Local Intranet zone

Zone Assignment legend: Local Intranet — 1, Trusted Sites — 2

Using a wildcard for a Trusted Site will display the «Windows failed to apply the Internet Explorer Zonemapping settings» and «Parameter incorrect» error

For example, add the following to the same User Policy under Site to Zone Assignment list — GPO application for the User will FAIL with the above error (on a Windows 7 computer running IE 9 — mentioning this in case it works with other O/Ss)
https://*.somesite.com 2
http://*.anothersite.com 1

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will FAIL
*.somesite.com 2
http://*.anothersite.com 1

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will FAIL
*somesite.com 2
http://*.anothersite.com 1

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will WORK
https://www.somesite.com 2
http://*.anothersite.com 1

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will work
www.somesite.com 2
http://*.anothersite.com 1

My two cents — hopefully it helps someone

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me — coke bottle design refreshment :))

I have found that the zonemapping won’t work if you enter a DNS name with just 2 characters, for example:

Will NOT work, also not: sb.nl ss.nl, aa.nl, bb.nl, ff.nl etc.

What does work: sbs.nl, ff1.nl etc.

It seems that there is a bug with just 2 characters.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me — coke bottle design refreshment :))

Old thread — Still applicable I believe

— You cannot use a wildcard * for any site in the Trusted Sites zone
— You can use wildcards * for any sites in the Local Intranet zone

Zone Assignment legend: Local Intranet — 1, Trusted Sites — 2

Using a wildcard for a Trusted Site will display the «Windows failed to apply the Internet Explorer Zonemapping settings» and «Parameter incorrect» error

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will FAIL
*.somesite.com 2
http://*.anothersite.com 1

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will FAIL
*somesite.com 2
http://*.anothersite.com 1

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will WORK
https://www.somesite.com 2
http://*.anothersite.com 1

Add the following to the same GPO under Site to Zone Assignment List, and GPO application will work
www.somesite.com 2
http://*.anothersite.com 1

My two cents — hopefully it helps someone

We also struggled with this » Internet Explorer Zonemapping failed. » error until I found this post. Then we removed all the wildcards from URLs in trusted sites zone and error went away.

Источник

Обновлено 25.11.2019

Что такое Internet Explorer Zonemapping

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Так же отфильтровав журнал вы можете обнаружить ошибку с кодом 7016:

Ошибка с кодом 7016. Завершена обработка расширения Internet Explorer Zonemapping за 31 мс.

Правильная настройка политики Internet Explorer Zonemapping

(1) зона интрасети (Местная интрасеть)
(2) зона доверенных сайтов (Надежные узлы)
(3) интернет-зона (Интернет)
(4) зона ограниченных сайтов (Опасные сайты)

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

*://*.pyatilistnik.org – Работает
http://*.pyatilistnik.org – Работает
*://pyatilistnik.org – Работает
ftp://192.168.0.0/ – Работает
https://pyatilistnik.org/ – Работает
192-193.0.0.0 Работает.
192-193.1-10.0.0 Работает
192-193.1-10.20-30.0 Работает
192-193.1-10.20-30.40-50 Работает

Если есть ошибки в синтаксисе, то увидите вот такую картину:

Редактирование Internet Explorer Zonemapping через реестр Windows

Я вам не перестаю повторять, что групповая политика меняет просто ключи реестра Windows на нужном объекте.

Для пользователя — HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE
Для компьютера —
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains создаем тут ключ REG_DWORD с нужным значением зоны IE

Для включения галки «Для всех сайтов зоны требуется проверка подлинности серверов (https)» необходимо создать запись REG_DWORD с именем Flags и значением 71 вместо 67 по пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE)SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1
Если вы хотите добавить диапазон IP адресов, тогда нужно добавлять 2 параметра. По пути HKEY_CURRENT_USER (или HKEY_LOCAL_MACHINE) SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal. Создать запись типа REG_SZ с Value name — :Range и Value Data – 192.168.1.0-254 и в SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZoneMapRangeslocal запись REG_DWORD с Value name — * (или нужный вам протокол) и Value Data – 1 (номер зоны)

На этом у меня все. С вами был Иван Семин, автор и создатель IT блога Pyatilistnik.org.

Дополнительные материалы

https://blogs.msdn.microsoft.com/askie/2016/04/05/description-of-event-id-1085-from-internet-explorer-zonemapping/
https://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/

Remove From My Forums

Event ID 1085 on DC — Failed to Apply the Group Policy Local Users and Groups Settings

Question

I have a domain with 2 DCs. The primary DC is running Server 2012 and is raising Event ID 1085 every 10 minutes and 20 seconds.

Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the «More information» link.

System

  - Provider 

   [ Name]  Microsoft-Windows-GroupPolicy 
   [ Guid]  {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9} 
 
   EventID 1085 
 
   Version 0 
 
   Level 3 
 
   Task 0 
 
   Opcode 1 
 
   Keywords 0x8000000000000000 
 
  - TimeCreated 

   [ SystemTime]  2014-10-20T20:09:03.706992400Z 
 
   EventRecordID 130087 
 
  - Correlation 

   [ ActivityID]  {FDDFB8C5-9ECF-41B9-B2B4-3AD0B345A37A} 
 
  - Execution 

   [ ProcessID]  1000 
   [ ThreadID]  3280 
 
   Channel System 
 
   Computer SERVER.DOMAIN.NAME
 
  - Security 

   [ UserID]  S-1-5-18 
 

- EventData 

  SupportInfo1 1 
  SupportInfo2 4404 
  ProcessingMode 0 
  ProcessingTimeInMilliseconds 10343 
  ErrorCode 183 
  ErrorDescription Cannot create a file when that file already exists.  
  DCName SERVER.DOMAIN.name
  ExtensionName Group Policy Local Users and Groups 
  ExtensionId {17D89FEC-5C44-4972-B12D-241CAEF74509}

Everything I look up for Event ID 1085 seems to be about a different cause.

Any ideas?

Edited by
Monday, October 20, 2014 8:38 PM

Hi All,

I have a large domain and a long list of websites that are trusted using the following group policy setting:

Administrative Templates > Windows Components > Internet Explorer> Internet Control Panel > Security Page >
Site to Zone Assignment List

On all (XP/vista/win7) workstations across the domain I’m getting the following error:

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1085
Task Category: None
Level: Warning
Keywords: Description: Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file.

There’s nothing either side of this error in the log that shines any more light on the issue.

I know which group policy object its applying these settings but cant find which of the entries in the site to zone assignment list is causing this issue. I looked in the
Group Policy/Operational log but all I see is the following entry which says «completed» but is logged as an error:

After some research I’m guessing that the issue is an incorrect wild-card. This is what my trusted sites list looks like (with names removed of course):

http://servername.*

*.internaldomain.com.au

*.domain.com.au

*.domain.*

*.externaldomain.com

*.domain.inernaldomain.com.au

*.domain.*

*.domain/name.*

*.domain.inernaldomain.au*

*.domain.com

Is there something obviously incorrect here?
Does anyone know where I could find an article that clearly outlines the acceptable wildcard syntax for the
«Security page site to zone assignment list» group policy? Ive read every forum post, website and blog I could find on the internet but nothing is clear and I wasn’t able to find an MS document that steps it out. I’ve also changed the
existing list a number of times based on blog posts etc but had no luck.

**Please Note**
I dont want to change to a different method or have an intellectual debate re why I would have these sites/wildacrd/policy set. I’m really looking to see what entry is invalid and where the documentation is for this policy setting so i can make sure they are
always correct in the future.

thanks in advance for your time and assistance
Simone

PS: I’ve already read the following posts a number of times:

I get no data but have identified the GP that is causing the issue:
A test case for troubleshooting group policy application – Event ID 1085 and 7016 — http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx
I dont have any 2 letter domain names:
Problems Adding Top-Level Domains to Zone Sites List — http://support.microsoft.com/kb/259493
I tried formatting the list per this article:
[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute — http://daily-it.blogspot.com.au/2008/09/solved-group-policy-client-side.html
Has no domain wildcard format info:
Behavior of Site to Zone Assignment List — http://blogcastrepository.com/blogs/mattbro/archive/2006/09/07/2183.aspx
Great article, no wildcard data:
Internet Explorer Policy Settings — http://technet.microsoft.com/en-us/library/bb457144.aspx

Internet zonemapping problem: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/a8756a27-b562-42ad-8782-87d284e6bcfb/
Spiceworks Event 1085 (Warning) — http://community.spiceworks.com/windows_event/show/1582-microsoft-windows-grouppolicy-1085
Event ID 1085 — Application of Group Policy — http://technet.microsoft.com/en-us/library/cc727303%28v=ws.10%29.aspx
Application of group policy — http://technet.microsoft.com/en-us/library/cc727312%28v=ws.10%29.aspx
Evt ID 1085 GP client-side extension IE ZoneMapping failed to exec — http://www.winvistatips.com/evt-id-1085-gp-client-side-extension-ie-zonemapping-failed-exec-t706399.html
Event 1085 — Internet Explorer Zonemapping — http://www.minasi.com/forum/topic.asp?TOPIC_ID=29206
EventID.net — http://www.eventid.net/display.asp?eventid=1085&eventno=1412&source=Userenv&phase=1
Event ID 1085 — Internet Explorer Zonemapping failed to execute — http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24897522.html

UPDATE:

I disabled the original policy and created a new one with only one trusted site address in it. Then I logged into a clean test machine did some testing.What I found after a few hours of testing was; regardless of the site that I have listed in group policy
—

The HKCUSoftwarePoliciesMicrosoftCurrent versionInternet SettingsZone Map Key registry entry is
always updated with that entry on the workstation. So the workstation’s registry always updates the key with
*.sitename.com per the site that I have set in GP
If I run GPUPDATE /FORCE over and over again, on the same machine, under the same user account, using the same DC I get:
Failure, Failure, Failure, Success, Success, Success, Failure etc

I wasn’t able to determine any pattern to the failures, I tried stopping some of the processes on that machine but didn’t find anything that would make it fail/succeed reliably.
There is no AV or firewalls installed on my test machine

Anyone have any more ideas? I think I might install filemon and try to capture some more data unless there’s a better tool?

Edited by
Wednesday, August 15, 2012 6:14 AM

Hi All,

I have a large domain and a long list of websites that are trusted using the following group policy setting:

Administrative Templates > Windows Components > Internet Explorer> Internet Control Panel > Security Page >
Site to Zone Assignment List

On all (XP/vista/win7) workstations across the domain I’m getting the following error:

There’s nothing either side of this error in the log that shines any more light on the issue.

After some research I’m guessing that the issue is an incorrect wild-card. This is what my trusted sites list looks like (with names removed of course):

http://servername.*

*.internaldomain.com.au

*.domain.com.au

*.domain.*

*.externaldomain.com

*.domain.inernaldomain.com.au

*.domain.*

*.domain/name.*

*.domain.inernaldomain.au*

*.domain.com

thanks in advance for your time and assistance
Simone

PS: I’ve already read the following posts a number of times:

I get no data but have identified the GP that is causing the issue:
A test case for troubleshooting group policy application – Event ID 1085 and 7016 — http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx
I dont have any 2 letter domain names:
Problems Adding Top-Level Domains to Zone Sites List — http://support.microsoft.com/kb/259493
I tried formatting the list per this article:
[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute — http://daily-it.blogspot.com.au/2008/09/solved-group-policy-client-side.html
Has no domain wildcard format info:
Behavior of Site to Zone Assignment List — http://blogcastrepository.com/blogs/mattbro/archive/2006/09/07/2183.aspx
Great article, no wildcard data:
Internet Explorer Policy Settings — http://technet.microsoft.com/en-us/library/bb457144.aspx

Internet zonemapping problem: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/a8756a27-b562-42ad-8782-87d284e6bcfb/
Spiceworks Event 1085 (Warning) — http://community.spiceworks.com/windows_event/show/1582-microsoft-windows-grouppolicy-1085
Event ID 1085 — Application of Group Policy — http://technet.microsoft.com/en-us/library/cc727303%28v=ws.10%29.aspx
Application of group policy — http://technet.microsoft.com/en-us/library/cc727312%28v=ws.10%29.aspx
Evt ID 1085 GP client-side extension IE ZoneMapping failed to exec — http://www.winvistatips.com/evt-id-1085-gp-client-side-extension-ie-zonemapping-failed-exec-t706399.html
Event 1085 — Internet Explorer Zonemapping — http://www.minasi.com/forum/topic.asp?TOPIC_ID=29206
EventID.net — http://www.eventid.net/display.asp?eventid=1085&eventno=1412&source=Userenv&phase=1
Event ID 1085 — Internet Explorer Zonemapping failed to execute — http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24897522.html

UPDATE:

The HKCUSoftwarePoliciesMicrosoftCurrent versionInternet SettingsZone Map Key registry entry is
always updated with that entry on the workstation. So the workstation’s registry always updates the key with
*.sitename.com per the site that I have set in GP
If I run GPUPDATE /FORCE over and over again, on the same machine, under the same user account, using the same DC I get:
Failure, Failure, Failure, Success, Success, Success, Failure etc

Anyone have any more ideas? I think I might install filemon and try to capture some more data unless there’s a better tool?

Edited by
Wednesday, August 15, 2012 6:14 AM

Windows Thread, Group Policy Error 1085 in Technical; Hi all,

im getting event ID (1085) for a certain number of computers in the event log and this message …

3rd March 2009, 12:03 PM #1

Hi all,

im getting event ID (1085) for a certain number of computers in the event log and this message relating to folder redirection.

«The Group Policy client-side extension Folder Redirection failed to execute. Please look for any errors reported earlier by that extension.».

The error message immediately before this is Event ID 111 and the error message is

«Unable to apply folder redirection policy, initialization failed.».

This is causing real problems because i think its related to another problem where he computers arent loading the user group policies either!

This has really stumped me.

Thanks

James
3rd March 2009, 12:39 PM #2

This is typically related to redirecting My Documents, but it can also be linked to Redirecting Start Menus and Desktops too.

Check that users have Full Control of their My Documents. Some users report problems redirecting folders since installing Windows XP SP3, but it’s strange because I have deployed SP3 quite a bit now and haven’t suffered from this problem
3rd March 2009, 12:57 PM #3

HI

Is this any help.

Event ID 1085 Source Userenv

Richard
3rd March 2009, 02:16 PM #4

Originally Posted by Michael

This is typically related to redirecting My Documents, but it can also be linked to Redirecting Start Menus and Desktops too.

Check that users have Full Control of their My Documents. Some users report problems redirecting folders since installing Windows XP SP3, but it’s strange because I have deployed SP3 quite a bit now and haven’t suffered from this problem

I had this exact issue. Removed SP3 and all worked fine afterwards.
3rd March 2009, 02:21 PM #5

Same here.. exact same problem with SP3.. was driving me nuts, until I built a new machine and tested after every update. Stopped working right after SP3…
3rd March 2009, 02:23 PM #6

Thanks for the replies

The starange thing is that this only happens on about 5-6 computers. All the others are fine.

Might be a silly question, but can computers have permissions, like users can?

Its just like the 6 computers dont have the correct permissions to read the group policies that invoke the folder redirection and other user policies.

James
3rd March 2009, 02:26 PM #7

From memory, I think it’s also related to how you setup your user shares. Under Folder Redirection I use ‘Redirect to the user’s home directory’ and setup their shares as servernameshare$ in AD.

Be interesting to see which method you’re using — both Admiral208 and sippo.
3rd March 2009, 02:40 PM #8

We use Basic Redirection and redirect to the users home directory.

We have one shared folder, which is then split into staff and students- which then splits to year joined.
3rd March 2009, 03:47 PM #9

Oh well, knocks that theory on the head. Something must be different though!
28th June 2011, 11:45 AM #10

I’ve been encountering this error recently. Other symptoms included programs not working correctly, IE moaning about security and other settings — These were tracked to the HKCU (ntuser.dat) being problematic. Odley I think I have finally fixed the problem when I checked the DNS and found a (Same as parent) Address record with the wrong IP address. SOA, and NS records were both correct.
22nd September 2011, 01:55 PM #11

Just to dig this post up — I just had this problem with re-directed desktop and start menu folders, the problem was I was re-directing users to a shared desktop and startmenu, but had the ‘Grant user exclusive rights’ box checked. Clearing this fixed it right away.

Hope this is of help to someone.

Remove From My Forums

Question
Hi everybody,

We are getting Event ID 1085 errors after adding «http://*.gob.es» in Group Policy Internet Zonemapping

We have enabled Userenv logging and followed the steps provided in http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx

After adding the entry «http://*.gob.es», the log looks like this:
USERENV(2c8.1c0) 14:49:11:600 LogExtSessionStatus: Successfully logged Extension Session data
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOList: Extension Internet Explorer Zonemapping returned 0x57.
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOList: Extension Internet Explorer Zonemapping doesn’t support rsop logging
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOs: Extension Internet Explorer Zonemapping ProcessGroupPolicy failed, status 0x57.

We have tested several valid formats

http://*.gob.es
https://*.gob.es
*://*.gob.es

But the error keeps appearing in event viewer

We have tried with another domains and it works.

And even more tricky, in the registry of an affected user we can see these registry entries:

HKEY_CURRENT_USERsoftwarepoliciesmicrosoftwindowscurrentversioninternet settingszonemapkey
*://*.contoso.com REG_SZ 2
*://*.gob.es REG_SZ 2

This entry (*.gob.es) references all the ministerial and government pages in Spain
We are very interested into adding this entry instead of adding each subdomain of gob.es

Thank you very much in advanced.

Sincerely yours.

Ramiro Cascallana

Ramiro Cascallana MCDST MCSA

Answers

> *.gob.es

> http://*.gob.es

> But the error still appears

That’s weird — to all my knowledge it looks ok and should work.

> Maybe Group Policy is assuming that *.gob.es is a TLD (like in

Possibly. This would require a support call with MS, I think.

BTW: When I try to add *.gob.es or http://*.gob.es manually, I receive

[Window Title]

Lokales Intranet

[Content]

Die angegebenen Platzhalter sind fehlerhaft.

Beispiele für gültige Platzhalter:

*://*.microsoft.com

http://*.microsoft.de

file:localsvrfreigabe

*://157.54.100-200.*

Beispiele für ungültige Platzhalter:

http://*.sub.microsoft.com

ftp://*

[OK]

So it seems they revised their 2 letter — 2 letter TLD spec to 3 letter

— 2 letter.

*.gob.esp works…

Martin

Mal ein
Buch über GPOs lesen?

NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me — coke bottle design refreshment :))
- Marked as answer by
  Wednesday, December 11, 2013 10:57 AM

Remove From My Forums

Question
Hi everybody,

We are getting Event ID 1085 errors after adding «http://*.gob.es» in Group Policy Internet Zonemapping

We have enabled Userenv logging and followed the steps provided in http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx

After adding the entry «http://*.gob.es», the log looks like this:
USERENV(2c8.1c0) 14:49:11:600 LogExtSessionStatus: Successfully logged Extension Session data
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOList: Extension Internet Explorer Zonemapping returned 0x57.
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOList: Extension Internet Explorer Zonemapping doesn’t support rsop logging
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOs: Extension Internet Explorer Zonemapping ProcessGroupPolicy failed, status 0x57.

We have tested several valid formats

http://*.gob.es
https://*.gob.es
*://*.gob.es

But the error keeps appearing in event viewer

We have tried with another domains and it works.

And even more tricky, in the registry of an affected user we can see these registry entries:

HKEY_CURRENT_USERsoftwarepoliciesmicrosoftwindowscurrentversioninternet settingszonemapkey
*://*.contoso.com REG_SZ 2
*://*.gob.es REG_SZ 2

This entry (*.gob.es) references all the ministerial and government pages in Spain
We are very interested into adding this entry instead of adding each subdomain of gob.es

Thank you very much in advanced.

Sincerely yours.

Ramiro Cascallana

Ramiro Cascallana MCDST MCSA

Answers

> *.gob.es

> http://*.gob.es

> But the error still appears

That’s weird — to all my knowledge it looks ok and should work.

> Maybe Group Policy is assuming that *.gob.es is a TLD (like in

Possibly. This would require a support call with MS, I think.

BTW: When I try to add *.gob.es or http://*.gob.es manually, I receive

[Window Title]

Lokales Intranet

[Content]

Die angegebenen Platzhalter sind fehlerhaft.

Beispiele für gültige Platzhalter:

*://*.microsoft.com

http://*.microsoft.de

file:localsvrfreigabe

*://157.54.100-200.*

Beispiele für ungültige Platzhalter:

http://*.sub.microsoft.com

ftp://*

[OK]

So it seems they revised their 2 letter — 2 letter TLD spec to 3 letter

— 2 letter.

*.gob.esp works…

Martin

Mal ein
Buch über GPOs lesen?

NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me — coke bottle design refreshment :))
- Marked as answer by
  Wednesday, December 11, 2013 10:57 AM

First published on TechNet on Aug 21, 2008

Craig

here again. Let’s take a look at a specific flavor of 1085 event, and its equivalent on Vista/2008, event 7016. The 1085 would show up in the Application log on XP/2003. The 7016 would show up in the Group Policy operational log on Vista/2008 (Event ViewerApplications and Services LogsMicrosoftWindowsGroup PolicyOperational).

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1085

Date: 7/29/2008

Time: 11:03:23 AM

User: NT AUTHORITYSYSTEM

Computer: M1

Description:

The Group Policy client-side extension Internet Explorer Zonemapping failed to

execute. Please look for any errors reported earlier by that extension.

Log Name: Microsoft-Windows-GroupPolicy/Operational

Source: Microsoft-Windows-GroupPolicy

Date: 7/29/2008 11:39:53 AM

Event ID: 7016

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Computer: M7.contoso.com

Description:

Completed Internet Explorer Zonemapping Extension Processing in 31 milliseconds.

Event Xml:

<Event xmlns=»

http://schemas.microsoft.com/win/2004/08/events/event»

<Provider Name=»Microsoft-Windows-GroupPolicy»

Guid=»{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}» />

<Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>

<Computer>M7.contoso.com</Computer>

</System>

<Data Name=»ErrorCode»>87</Data>

<Data Name=»CSEExtensionName»>Internet Explorer Zonemapping</Data>

</EventData>

</Event>

The 1085 event doesn’t give us the error code. In Vista/2008, the error code shows up on the Details tab of the 7016 event.

To view the error code on XP/2003, we need to enable Userenv logging (KB article

221833

). Once you’ve enabled Userenv logging and run

gpupdate /force

, take a look at the

%windir%debugusermodeuserenv.log

.

If you do a CTRL+F ( Edit | Find) in Notepad for the text string

ProcessGPOList: Extension Internet Explorer Zonemapping returned

you’ll jump down to the interesting part.

ProcessGPOList: Extension Internet Explorer Zonemapping returned 0x57.

A little Notepad trivia for you – you can view the current line number or go to a different one by using CTRL+G (Edit | Go To…), but that only works if you have Word Wrap disabled (Format | Word Wrap).

The

0x

in

0x57

tell us it is a hexadecimal number. 57 hex equals 87 decimal. So the return code in the Userenv.log on XP/2003 is really the same as the error code in the 7016 on Vista/2008. The 7016 is just giving it to us in decimal instead of hex. To map the 0x57 (81) to an error string, we can download

Err.exe

. Err will accept the decorated hex (0x57) or decimal (81) as input. You can also pull these up on the

Win32 Error Codes

page on MSDN.

C:err 0x57

# for hex 0x57 / decimal 87 :

XNS_INTERNAL_ERROR bugcodes.h

MSG_E_BAD_DEFAULT_CA_XCHG_CSP certlog.mc

# Certificate Services could not use the default provider for

# encryption keys. %1

LLC_STATUS_INADEQUATE_LINKS dlcapi.h

NMERR_FRAME_HAS_NO_CAPTURE netmon.h

ERROR_INVALID_PARAMETER winerror.h

# The parameter is incorrect.

LDAP_FILTER_ERROR winldap.h

# 6 matches found for «0x57»

Ok, so we’ve got an invalid parameter somewhere. Let’s go ahead and first find the Group Policy object (GPO) that is causing the pain. On Vista/2008, it is as easy as looking on the

General

tab of the 4016 event that will come right before the 7016 error event. In the example below, the admin has deviated from best practices, so instead of a helpful name such as Site to Zone Assignment List GPO, it is named something less informative.

On XP/2003 we don’t have this nice 4016 event to tell us the name of the offending GPO. But almost as easily we can use Rsop.msc to find it. You can use Rsop.msc to find it on Vista/2008 too, but the 4016 is easier.

You can also double-click on

Site to Zone Assignment List

and see the GPO name on the

Precedence

tab.

So we know the offending GPO, and we can actually look at what it is trying to use right here in Rsop.msc by viewing the

Setting

tab and clicking

Show

.

And there is our problem — 192.168.* is not a valid value. Instead you could use 192.168.*.*.

Examples of invalid values:

192.168.*

http://*

http://contoso.*.com

Examples of valid values:

www.contoso.com

http://*.contoso.com

*://*.contoso.com

http://*.contoso.co.uk

192.168.*.*

At this point you would fire up the

Group Policy Management Console

(

Gpmc.msc

) or

Active Directory Users & Computers

(

Dsa.msc

) and make the appropriate edit to the

Site to Zone Assignment List

policy in the offending GPO.

Site to Zone Assignment List

is located under

User ConfigurationAdministrative TemplatesWindows ComponentsInternet ExplorerInternet Control PanelSecurity Page

. It is also possible you configured this in local policy, in which case you would edit it by running the

Group Policy Object Editor

(

Gpedit.msc

) on the local machine.

And that pretty much wraps it up. An event 1085 or 7016 error referencing the Internet Explorer Zonemapping client-side extension with error code 0x57 (81) can be caused by an invalid value in the Site to Zone Assignment List policy setting. But there are a few other details that may be interesting.

We saw the invalid value is visible in Rsop.msc and of course in the policy itself, but there are a few other places it shows up, namely the registry, the Userenv.log (XP/2003), the Gpsvc.log (Vista/2008), and finally the registry.pol file.

It is interesting to note that even when we are getting 1085 or 7016 errors, the invalid values will be set successfully in the registry and the Userenv.log/Gpsvc.log will reflect that.

Userenv logging has been documented for a long time in KB article

221833

, but it is a bit harder to find information on GPSVC logging that is new to Vista/2008. This is mainly because the Group Policy operational log has vastly improved the ability to troubleshoot Group Policy issues without needing to view additional debug logging. But if you are curious, you can enable GPSVC logging via the registry.

Value Path:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionDiagnostics

Value Name:

GPSvcDebugLevel

Value Type:

REG_DWORD

Value Data:

30002 (hex)

Output:

%windir%debugusermodegpsvc.log

In this situation, both the Userenv.log and Gpsvc.log will show us the same information with regards to the values that are configured in the Site to Zone Assignment List policy. Just do a search on the text string

ListBox_Support_ZoneMapKey

. Here you can see that even though the

192.168.*

value is invalid; it gets set in the registry successfully.

GPSVC(444.91c) 17:03:40:02 SetRegistryValue: ListBox_Support_ZoneMapKey => 1 [OK]

GPSVC(444.91c) 17:03:40:02 SetRegistryValue:

192.168.*

=> 1 [OK]

The value is written to the following registry location:

HKCUSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapKey

The registry.pol file in the GPO in Sysvol is the last place you could see those values. You can use

Regview.exe

to view the contents of a registry.pol file. It is a free download as part of the

2003 Resource Kit Tools

, but it is also included by default now in Vista and 2008.

C:>regview C:WINDOWSSYSVOLdomainPolicies{144AF1E5-05FE-4C6D-8CB6-CBB945F23C85}Userregistry.pol

KeyName: SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settings

ValueName: ListBox_Support_ZoneMapKey

ValueType: REG_DWORD

Value: 0x00000001

KeyName: SoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsZoneMapKey

ValueName: 192.168.*

ValueType: REG_SZ

Value: 1

— Craig Landis

Источник

If you found a warning with EventID 1085 on your Windows 7 clients:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the “More information” link.

You can try to troubleshoot it following these steps.
On Details Tap you can found the error code:

In may case is 87 (The parameter is incorrect).

If you check on “Event Viewer\Applications and Services Logs\Microsoft\Windows\Group Policy\Operational” You will find the error with Event-ID 7016:

Completed Internet Explorer Zonemapping Extension Processing in 78 milliseconds.

Check the previous Event-ID 4016 that report the GPO that is causing the issue:

Checking the GPO, I found an invalid entry on “Site to Zone Assignment List”.
To check if an entry is fine or not, you can use a machine that is not managed by GPO trying to add the entry on “Trusted Sites” directly from IE.

It’s interesting to note checking the values you found on

HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

..that also the not valid entry is there.

Via: https://blogs.technet.microsoft.com/askds/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016/

Источник

Что такое Internet Explorer Zonemapping

Правильная настройка политики Internet Explorer Zonemapping

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

Редактирование Internet Explorer Zonemapping через реестр Windows

Дополнительные материалы

Правильная настройка политики Internet Explorer Zonemapping

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

Редактирование Internet Explorer Zonemapping через реестр Windows

Дополнительные материалы

Правильная настройка политики Internet Explorer Zonemapping

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

Редактирование Internet Explorer Zonemapping через реестр Windows

Дополнительные материалы

<img decoding="async" onError="javascript: wp_broken_images = window.wp_broken_images || function(){}; wp_broken_images(this);" src="https://pyatilistnik.org/wp-content/uploads/2016/02/pyatilistnik-3.png" />

ID 1085, не удалось применить параметры Internet Explorer Zonemapping

ID 1085, не удалось применить параметры Internet Explorer Zonemapping

Что такое Internet Explorer Zonemapping

Правильная настройка политики Internet Explorer Zonemapping

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

Редактирование Internet Explorer Zonemapping через реестр Windows

Windows не удалось применить параметры internet explorer zonemapping

<img decoding="async" onError="javascript: wp_broken_images = window.wp_broken_images || function(){}; wp_broken_images(this);" src="https://i1.social.s-msft.com/globalresources/Images/trans.gif" />

Answered by:

Question

Answers

All replies

Что такое Internet Explorer Zonemapping

Правильная настройка политики Internet Explorer Zonemapping

Правильные варианта синтаксиса сайтов Internet Explorer Zonemapping

Редактирование Internet Explorer Zonemapping через реестр Windows

Дополнительные материалы

Question

Question

Answers

Question

Answers

Интересное по теме: