Setting proxy server via group policy (500pts)
In our organization we would like all of our users to use a proxy server to access the internet. Reading online I was able to find suggestions using group policy to set this up. I figured it would be better to test it with a single user before deploying it to all the users.
So far I have created a new AD organizational unit under user accounts called "test group" and moved the test user into the container. Then clicking on this new container selected properties and then the group policy tab. When I looked into the group policy object links it showed as blank which makes sense because I just created the OU.
Under the group policy I added a new policy called "proxy server configuration" under this new policy I added the folowing entries
User Settings > Windows Settings > Internet Explorer Maintenance > Connection
I pointed it to the correct server and port number as well as bypass proxy server for local addresses
User Settings > Administrative Templates > Windows Components > Internet Explorer
I disabled the option to allow the user to edit their proxy server configuration so once it is set there is no way around it.
I saved all the changes that I made and exited out of the group policy. I figured this should be all set so that it will only affect the users that are in the "test group" organizational unit. However when I went and logged in as the user we were testing it on there was no settings affected with the proxy server.
I am kinda stumped as to why this is not working. Any suggestions?
So far I have created a new AD organizational unit under user accounts called "test group" and moved the test user into the container. Then clicking on this new container selected properties and then the group policy tab. When I looked into the group policy object links it showed as blank which makes sense because I just created the OU.
Under the group policy I added a new policy called "proxy server configuration" under this new policy I added the folowing entries
User Settings > Windows Settings > Internet Explorer Maintenance > Connection
I pointed it to the correct server and port number as well as bypass proxy server for local addresses
User Settings > Administrative Templates > Windows Components > Internet Explorer
I disabled the option to allow the user to edit their proxy server configuration so once it is set there is no way around it.
I saved all the changes that I made and exited out of the group policy. I figured this should be all set so that it will only affect the users that are in the "test group" organizational unit. However when I went and logged in as the user we were testing it on there was no settings affected with the proxy server.
I am kinda stumped as to why this is not working. Any suggestions?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you check the event logs in the client pc for any errors during propagation of group policies, how long this pc has been in the current ou? It appears obvious but try manually updating the macnine policy one by "secedit /refreshpolicy machine_policy"
post back your observations,
Rajat.
post back your observations,
Rajat.
ASKER
The machine has been in the current OU basically since it was joined the domain. I created this group policy under a new OU I created within the user accounts called "test group" I then moved the user account I wanted to test this policy on into the "test group" OU. I know this sounds a little construed but hopefully it makes sense to you.
I will try the secedit /refreshpolicy machine_policy right now and see if that does anything.
As far as the event log goes it does not show any kind of errors regarding the propogation of the policies.
I will try the secedit /refreshpolicy machine_policy right now and see if that does anything.
As far as the event log goes it does not show any kind of errors regarding the propogation of the policies.
ASKER
A little update here for you all. I just tried logging in with the persons user name on two seperate other machines one a windows xp machine and one a windows 2000 machine and both times the group policy appeared to work without a problem. It looks like the group policy is working and picking up but only on machines that have never been logged into before.
Any ideas why?
Any ideas why?
could be DNS related are your DNS settings identical between the machines
Try forcing the policy by adding the /enforce flag...
secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce
Win 2000 (as well as XP) sometimes takes as much as 3 logins/reboots to get the whole policy from my experience.
secedit /refreshpolicy machine_policy /enforce
secedit /refreshpolicy user_policy /enforce
Win 2000 (as well as XP) sometimes takes as much as 3 logins/reboots to get the whole policy from my experience.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Group Policy Objects are never applied to GROUPS but leaf objects -- You can use Group to filter policy settings. By default group policy applies to all leaf objects (user and computer accounts) in the container where you have set GPO"
I dont think that this will be a problem beacuse the way the AD structure is set up the container which the group policy is set for is only about 4-5 people in a remote office. There are no other users listed under this conatiner and there are also no administrators etc in this container. And since the group policy is set under the user accounts of the people logging in wouldnt it only affect those users who are listed in the container for which the GPO is set?
I dont think that this will be a problem beacuse the way the AD structure is set up the container which the group policy is set for is only about 4-5 people in a remote office. There are no other users listed under this conatiner and there are also no administrators etc in this container. And since the group policy is set under the user accounts of the people logging in wouldnt it only affect those users who are listed in the container for which the GPO is set?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Kshays: That is the exact way that I did it.
I think I actually might have gotten it to work with a registry tweak supplied by microsoft. By using regedit and editing the noGPOlistChanges to a 0 rather than a 1 it makes it so that the computer checks the group policy each time the machine is logged into the domain. So that the proxy server is always set to the appropriate address and then is dimmed so that it is not user editable.
I think I actually might have gotten it to work with a registry tweak supplied by microsoft. By using regedit and editing the noGPOlistChanges to a 0 rather than a 1 it makes it so that the computer checks the group policy each time the machine is logged into the domain. So that the proxy server is always set to the appropriate address and then is dimmed so that it is not user editable.
What hive is it in? Are there any warnings by setting it this way?
regards,
kshays
regards,
kshays
ASKER
Here is a link to the microsoft KB article. The example they give is setting a home page but it can be used for all internet explorer settings through group policies.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306915
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306915
ASKER
I actually found the bottom part of the article more helpful than the top. The little blurb about using the Computer Configuration, Administrative Templates, System, group policy to set the option to check the GPO settings even if the GPO has not been updated
True, that may be a good solution to implement anyway. This shouldn't be a problem as long as there are not a lot of gpo's in place which in my case there isn't :)
kshays
kshays
ASKER