Applying Proxy settings to COMPUTERS (not users) using Group Policies.

We have three seperate Proxy servers (by locations) and I want to apply proxy settings per computer.

I have setup three computer groups in active directory and placed the computers I want in each. I want to apply a policy to these computers that sets the proxy settings for the user accordingly. Unfortunately the proxy settings are only available in the user sections of the GPO. Is there any way to accomplish what I want to do?

Thanks
LVL 1
TBIRD2340Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

2hypeCommented:
Just Place the computers in a New OU (remove them from the computers OU).  And apply the setting under the User Section of the OU.  This should work as long as you dont have any settings for the Users OU which will overwrite these settings.

Otherwise you could go to each  machine and click --- start --- run --- GPEDIT.MSC and enter the proxy for each computer.

Adding the Proxy Settings in the User configuration settings for the computer policy should work though
TBIRD2340Author Commented:
There's no way we are going to go to each PC (1,000+ machines).

So there is no way to do this except to create multiple OU's?
2hypeCommented:
"I have setup three computer groups in active directory and placed the computers I want in each"
 
It sounds like you already did this.  All you have to do is apply the group policy to each of the groups.

I personally do not know of another method other then this way.  But that does not mean there isnt.
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

TBIRD2340Author Commented:
Ok. Let me explain what I did in more detail.

I created a global security group (lets say the name is Proxy Group A) and added some computers to it.

I then created a policy (lets say the name is Proxy Policy A) and added that group to the security of that policy and made so it applied the policy settings to it.

I then edited the policy and went to the "User Configuration" of it. From there I went to Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings and changed the proxy settings.

Then I went to one of the PC's that I added to Proxy Group A and logged into the PC. I ran RSOP.MSC to see if the policies got applied. When I right click on "Computer Configuration" I see Proxy Policy A got applied in the COMPUTER section (where the proxy settings AREN'T).

Then I went into the properties of the "User configuration" section. Proxy Policy A is not showing up.

I'm wondering if the user section isn't getting applied because there aren't acutal usernames in the security group :Proxy Group A". If that is the case then what I am trying to accomplish (adding them by computer and NOT user) will not work..
binary_1001010Commented:
Tbird, can you check this.

click start>run>gpedit.msc
expand computer configuration
expand administrative template
expand windows component
expand internet explorer
on the right pane, make proxy setting per-machine(rather than user) ,did you enable or disable that option?
TBIRD2340Author Commented:
I didn't see that setting until yesterday.

It says:

Applies proxy settings to all users of the same computer.

If you enable this policy, users cannot set user-specific proxy settings.
They must use the zones created for all users of the computer.

If you disable this policy or do not configure it, users of the same
computer can establish their own proxy settings.

This policy is intended to ensure that proxy settings apply uniformly to the
same computer and do not vary from user to user.

What I'm interested in is that second paragraph:

If you enable this policy, users cannot set user-specific proxy settings.
They must use the zones created for all users of the computer.

Where do you specify this information (the proxy server info)?
binary_1001010Commented:
yes. there is another policy setting under  Internet Explorer Maintenance > Connection > Proxy Settings and changed the proxy settings.. set it there too.
TBIRD2340Author Commented:
But that setting doesn't get applied unless I assign users to the GPO. Again, I don't want this to be per user I want it to be per machine.
swinterbornCommented:
Tbird

You say "We have three seperate Proxy servers (by locations)". I presume this means that you want all users in a physical location to use a proxy server in that location.

That being the case, the obvious solution would be to use a Site GPO, rather than OU based. This would still apply to the user, but only when the user is in the correct location.

Note that on Win2k, possibly XP as well, the proxy settings are not as transparent as most GPO settings. By this I mean that a blank setting in the Proxy Settings is a valid entry, and will override any settings in a GPO of lesser precedence. You will therefore need to ensure that you set the 'No Override' switch on your Site GPO's. As a consequence of that, I would recommend that you a dedicated site GPO for proxy settings, and a second GPO for any other site specific settings you need to make.

HTH

Simon


Cheers!
TBIRD2340Author Commented:
Simon, that is correct. I have three seperate proxy servers that are in three different physical locations. Let me ask you this.. You suggested using sites instead of OU's...

I have no experience creating sites.. I looked at one site that we have created and it has some subnet info in the general tab. Is it possible to do this:

Create three sites and add specific subnets (locations) to the site. For example, add 192.168.1.0/16 and anyone with an IP address that fits that will get the GPO applied to this site applied to their user / machine?

Thanks for the help!
swinterbornCommented:
Thats, it, you just defined a site. All the more complex stuff with sites is for when you are distributing DC's across multiple locations. We use eactly this setup for our estate of 2000 sites to assign local proxy servers.

HTH

Simon
TBIRD2340Author Commented:
I don't see where / how to assign subnets to the sites I created?
swinterbornCommented:
Wen you expand the Sites node in Sites and Services, you will see all the sites you create and a node at the bottom, Subnets. Right click it and select New Subnet, fill in the subnet details and select the appropriate site
TBIRD2340Author Commented:
Ok. I see that, thanks.

So if I create three sites and assign the appropriate subnets to them, then select each site's properties, and create a group policy with "Authenticated Users" applying the policy, then only users/computers that are in that specific subnet will apply this GPO?

Also, in what precedence do the policies get applied? I have GPO's setup on the Domain level. Which take precendence?

The policy I was going to setup to accomplish the above was to change:

User Configuration > Admin Templates > Internet Explorer > Disable Changing Proxy Settings = Enabled

AND

User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings = Specific Proxy Server Settings

So would this work with what I want to do?

Thanks
swinterbornCommented:
Thats it.

GPO precedence is, in increasing order of importance: Local - Site - Domain - OU, but remember that is not a blanket overwrite  - generally only settings which are explicitly defined at multiple times will get overwritten. As I wrote above, the Proxy Settings are an exception, so you need to use the 'No Override' switch.

Unless you have some sites where users need to be able to change their proxy, I would put the user restriction in a general user policy on an OU, and only put the location specific settings into the Site policy.

Other than that, you've got a working solution.

HTH

Simon

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TBIRD2340Author Commented:
Thanks a lot Simon. Your solution works great!
TBIRD2340Author Commented:
Simon, I don't know if I'm having a problem related to the stuff I did...

One of our Exchange servers was rebooted last nite and it's now getting:

Event Type:      Error
Event Source:      MSExchangeDSAccess
Event Category:      Topology
Event ID:      2114
Date:            6/22/2005
Time:            8:24:19 AM
User:            N/A
Computer:      FBEXCH-FS
Description:
Process MAD.EXE (PID=2400). Topology Discovery failed, error 0x8007077f.

When I looked it up on eventid.net it says:

"- Error code: 0x8007077F - This means that no site/subnet has been defined for the Exchange server. Check the IP address of the Exchange server, define a subnet in Active Directory, and assign that subnet to the proper site."

In Active Directory Sites & Services there was one site created before I added any. In that site there where our DNS/AD Domain controllers and Exchange servers under the "Servers" folder.

I created a new site along with 15 subnets and assigned them all to this site. The ONLY thing I changed in this site was the proxy setting GPO.

Did I jack something up?
swinterbornCommented:
you need to define the subnets that should be associated with the original site as well. As soon as multiple sites are defined, nothing will find the default site unless it has subnets explicitly associated with it.
TBIRD2340Author Commented:
This is in regards to my current question..

I have three proxy policies setup along with my three sites.. When a PC logs in with a certain IP/subnet that falls under one of the three sites it gets the appropriate policy..

Here is my problem. When laptop users take their laptops off site (hotel / home) their browser still has the proxy settings from the policy and they can't use the internet..

Is there a way around this? Is there a way to have the proxy setting reset upon logout or shutdown? We don't want to give the users the ability to edit the proxy settings.

Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.