[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Add GPO Template: ProxyEnable - Registry

Posted on 2006-05-04
15
Medium Priority
?
4,323 Views
Last Modified: 2008-01-09
Please keep in mind I'm not an expert, I've been working with domains, servers for only a few months, but I usually find a way to resolve my problems.  It's the first time I use this kind of forum, and my english is not perfect, hopefully it'll be readable...

I've tried to add a GPO Template for the registry key "ProxyEnable".  When a certain user logs in, I want the proxy to be enabled so he can't access the internet.  When another user logs in, I want to disable the proxy so he can access the internet.

I created the following .adm file

CLASS USER
CATEGORY "Internet Proxy"
POLICY "Set Proxy"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "ProxyEnable"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY

I then added the template in my GPO, and enabled it for the appropriate OU.

I then tried it, ran gpupdate /force, but nothing changes.

When I look in the GPO Editor, the icon has some red in it, while it is usually blue.  Is it red because I have an error, or because it's a personnalized template?  Anyway, it doesn't work...  Is the structure of my .ADM file alright?

Thanks for reading and trying to help.
0
Comment
Question by:TIC_Telecom
  • 8
  • 7
15 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16611261
First, welcome to Experts-Exchange!  If you have any questions about how things work here, please visit the Help section or post a question to the Community Support TA.

As for your ProxyEnable issue... I'm wondering what it is that you are trying to accomplish.  Your adm file is not entirely complete.  But you can find a sample of what I think you are trying to do here http:Q_21558400.html

I'm assuming that you have the Standard Edition of SBS because if you were using ISA Server you wouldn't have to disable the proxy, you could just set up different rules for different users.

Jeff
TechSoEasy
0
 

Author Comment

by:TIC_Telecom
ID: 16611962
Thanks Jeff

The link http:Q_21558400.htm doesn't seem to work though...  Yes I do have the standart edition of SBS.  The only way to enable/disable the internet access to specific users that I found, without using the router, was with a GPO.  I then realize that you can disable the internet proxy in Windows GPOs, but the setting stays on the computer after that...  That's why I need to use the registry key "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable" in a GPO.

So I'm pretty much looking for help with my adm file, since it's the first time I use this.  It's a great tool and I'm trying to learn how to use it.

Could you or anyone else tell me how to correct my adm file?  It's all I need and I'll give the points after testing.

Thanks

Bast
TIC Telecom
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16611967
sorry, I left off the "l"  it's fixed now.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:TIC_Telecom
ID: 16611969
What it basically has to do:

if the GPO is enabled, the registry key Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable must be enabled.  If the GPO is disabled, the same registry key must be disabled.

Bast
TIC Telecom
0
 

Author Comment

by:TIC_Telecom
ID: 16611971
Thanks for the link, I will try it tomorrow for sure
0
 

Author Comment

by:TIC_Telecom
ID: 16614195
I tried the exact same adm file that was on the link, still doesn't work...

CLASS USER

  CATEGORY "Override IE Proxy Settings"

    POLICY "Sets internet explorer proxy settings."

      EXPLAIN "Sets the proxy settings in IE."

        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

 

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED

            VALUENAME "ProxyServer"

          END PART

 

    END POLICY

 

    POLICY "Force IE Proxy to be used on client"

      EXPLAIN "Set to enable if you wish to force the client to use this proxy setting"

        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

 

          PART "Force client to use proxy." CHECKBOX DEFCHECKED  

            VALUENAME "ProxyEnable"

         VALUEON "1"

            VALUEOFF "0"

          END PART

 

    END POLICY

 

 

    POLICY "Override the proxy for these IP addresses."

      EXPLAIN "Override Proxy for IP based addresses."

        KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"

 

          PART "Choose a proxy setting:"  EDITTEXT REQUIRED

            VALUENAME "ProxyOverride"

          END PART

 

    END POLICY

 

 

  END CATEGORY

 

  [strings]

Set the proxy to 0.0.0.0 to disable internet access.  The three policies are enabled.  The proxy is still not forced to the user.

I'm doing all of this remotely, so I didn't reboot the computer.  Maybe some policies need a complete reboot...  Anything else could be wrong, or could my problem be elswhere than in my .adm file?

Thanks

Bast
TIC Telecom
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16616520
Instead of using a Proxy for this, have you considered modifying the Windows Firewall GPO for these users?  You could configure it to deny any traffic on port 80.

Jeff
TechSoEasy
0
 

Author Comment

by:TIC_Telecom
ID: 16622307
Sorry for the delay...  What I like about the proxy is that I can make exceptions to a few sites, and I'd really like to be able to use the registry way, since it will be useful for other problems later.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 1500 total points
ID: 16624886
Okay... took another look at what you are doing...

You don't want to do this via Registry because there is already a GP parameter to handle it and you have not accounted for the fact that the user can just turn it off in IE settings.  If there are other problems later, then they hopefully can be handled via GPO as well.

Additionally, since GP's will refresh on a log-off/log-on, a setting such as this will take effect, whereas a GP that changes a registry entry won't take effect until the computer reboots.  This would mean that if a restricted user logs off a machine it would have to be rebooted before a non-restricted user logs on.  I can easily see that the non-restricted user would log on and not realize the problem until they have 5 programs open and then try to access the Internet.  Not a good thing.

So, you should instead create a GPO according to these steps:

1. Expand User Configuration to set this policy on a per-user basis.
2. Expand Windows Settings > Internet Explorer Maintenance.
3. Select Connection, and double-click Proxy Settings.
4. Select the Enable Proxy Settings check box > Add 0.0.0.0 to the HTTP entry, and click OK.
5. Expand Administrative Templates > Windows Components.
6. Select Internet Explorer, and double-click “Disable Changing Proxy Settings”
7. Select Enabled, and click OK.

Once you have this working, you would then create a new OU under
the "Security Groups.Groups.MyBusiness.domain.com" OU and within that new OU create a new Security Group called something like "Restricted".  Then you add the Restricted User accounts to the new Security Group's membership.

If you have problems with this taking due to Group Policy refresh rates, there are ways to adjust that... alternatively you can do this via the User Logon Script.

Jeff
TechSoEasy
0
 

Author Comment

by:TIC_Telecom
ID: 16625854
I decided to go the registry way because I had problems using the GPO.  When I tried with it, I created my OU, then a new security group linked to a this GPO

1. Expand User Configuration to set this policy on a per-user basis.
2. Expand Windows Settings > Internet Explorer Maintenance.
3. Select Connection, and double-click Proxy Settings.
4. Select the Enable Proxy Settings check box > Add 0.0.0.0 to the HTTP entry, and click OK.
5. Expand Administrative Templates > Windows Components.
6. Select Internet Explorer, and double-click “Disable Changing Proxy Settings”
7. Select Enabled, and click OK.

Then I had another OU, which was not linked to these GPOs.

It worked very well at first, the restricted users would log in everywhere without being able to access the net.  The problem is that when a power user or an administrator logs in, one not linked to the Enable Proxy Settings GPO, the proxy is still stuck on the computer.  

I'll test as you told me with an adjusted Group Policy refresh rate and tell you if it works.

Thanks for the patience...
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16626515
Funny... I was thinking that would happen which is why I had mentioned that the registry solution would definitely cause that...

You can create a reverse of this GPO for priveledged users that sets the Proxy settings to "Not Configured" which should remove the setting.

You probably want to disable XP's Quick Logon function so that Group Policy is applied fully at logon instead of being refreshed at 90 minutes or whenever.

Jeff
TechSoEasy
0
 

Author Comment

by:TIC_Telecom
ID: 16627082
Quick Logon already active, yeah I had already tried it but even with the users set with Proxy Settings "Not Configured", the proxy still stays on the computer no matter who logs in.  It's like the GPO works to enable the proxy, but not to disable it.

But I did find something else

User Configuration - Windows Settings - Internet Explorer Maintenance - Connection - Connection Settings.  Then I chose "Import Settings from this computer", configured it.  And it now seems to work.  As if the Proxy GPO could enable the Proxy, but not disable it, while the "Connection Settings" lets you do whatever you want.

Thanks for helping.

Bast
TIC Telecom
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16627413
You want Quick Logon DISABLED.

And yeah, either the Connection Settings or the Automatic Connection Script would work... you can actually use that on both groups to make it more consistent.

Normally SBS would configure the connection with an Automatic Connection Script which is kept on the server at:
C:\Program Files\Microsoft Windows Small Business Server\ClientSetup\Clients\Setup\install.ins

You can take a look at that file if you want to see another way to do this.  Basically it's an .ini file that works on IE.

Jeff
TechSoEasy
0
 

Author Comment

by:TIC_Telecom
ID: 16627546
Sorry I used the wrong word, yeah Quick Logon is disabled!

You're right about using the same setting for both groups, I will.

Thanks for the tips!  I appreciate.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16627581
No prob.

TSE
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Integration Management Part 2
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question