--- title: Add trusted sites using Group Policy description: Requirements component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_add_trusted_sites_google_policy canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_add_trusted_sites_google_policy.html revdate: December 9, 2021 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps example: Example: result: Result --- # Add trusted sites using Group Policy ## Before you begin Requirements * Administrative permissions on the AD Connect domain controller (DC) for the Windows Server IIS host (or cluster of IIS hosts) for AD Connect. ## About this task For seamless SSO with AD Connect, use these instructions when you want to assign the IIS host to the Internet Explorer (IE) client's list of trusted sites, and you are using a Group Policy for IE to do this. You will need to create a new Group Policy Object (GPO) on the DC and assign the trusted site for AD Connect to Internet Explorer clients. | | | | - | -------------------------------------------------------- | | | These Group Policy settings should also work for Chrome. | ## Steps 1. From the DC, open Group Policy Management (in Administrative Tools). 2. Right-click the domain, select **Create a GPO in this domain, and Link it here**, and enter a name for the GPO you will use for the IE trusted sites policy. 3. Right-click on your new GPO and select **Edit**. The Computer Configuration and User Configuration nodes are displayed in the left pane. 4. Expand the User Configuration node to Preferences + Windows Settings. 5. Right-click **Registry** and select **New**, **Registry Item**. 6. From the Action dropdown list, select **Update**. 7. From the Hive dropdown list, select **HKEY\_CURRENT\_USER**, then click to browse for the Key Path value. 8. Expand the HKEY\_CURRENT\_USER node to **Preferences > Software > Microsoft > Windows > CurrentVersion > Internet Settings > ZoneMap**. Click **Domains > Select**. 9. In the Key Path field, go to the end of the entry and enter the domain in which the IIS host for AD Connect resides (for example, mydomain.com), and the IIS host name (for example, adConnect): ### Example: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mydomain.com\adConnect | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------ | | | If you're using NLB, or another clustering solution, you will specify the virtual cluster IP rather than an individual IIS host name here. | 10. In the Value name field, enter the protocol. We recommend "https". 11. From the `Value type` dropdown list, select **REG\_DWORD**, and for `Value` data enter "1" as the number (1 - 4) indicating the security zone to assign to the URL. The security zone assignments are as follows: * 1 - Intranet * 2 - Trusted Sites * 3 - Internet * 4 - Restricted 12. Click **Apply > OK** and close Group Policy Management. 13. From the command line interface, run the command: `gpupdate /force`. 14. When the command finishes, close IE (if it is open) and run the `gpupdate /force` command again, this time from the Local Admin account. 15. Open IE and go to **Tools > Internet Options > Security > Local Intranet > Sites**. You should see the URL for the IIS host for AD Connect in the list of trusted sites. ## Result This method of adding trusted sites using Group Policy applies to every IE client user in the domain, and doesn't conflict with any URLs added by the user. You can constrain this policy by applying the GPO to a specific OU within the domain, or changing the Security Group to which the GPO should apply (in the GPO's **Scope > Security Filtering** settings).