?
Solved

Group Policy for Laptops

Posted on 2007-12-04
7
Medium Priority
?
2,025 Views
Last Modified: 2013-12-08
Hi!

I have created a group policy that would set connection to proxy in Internet Explorer and remove Connections tab from Tools->Options. This group policy is applied to User Accounts. I was expecting that once the user is connected to domain his pc will take settings of the group policy and whenhe is out of office, he will use his standard settings, i.e. no proxy information. However, it doesn't work this way. Once computer takes the group policy even out of the office this settings are not nulled. How can I resolve this issue? Thank you very much!
0
Comment
Question by:Zaurb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Expert Comment

by:Aico
ID: 20401681
You could try setting the Local Security Policy setting. Maybe when the machine doesn't detect the domain it reverts back to the Local Security Policy, but I'm not sure about that.
0
 
LVL 16

Expert Comment

by:btassure
ID: 20402105
I would create a batch file that runs a registry entry that removes the proxy when the user is offsite. Group policy will take priority in the office and override any other settings. :o)

Create the following batch file:
@echo off
regedit /s c:\proxy.reg
exit

Or if you want to be clever and do this automatically then put a read only text file in a shared drive on the server and put some random text in it. Call it for example h:\proxycheck.txt
and make your batch file read:
@echo off
if exist h:\proxycheck.txt goto office else goto away
:away
regedit /s c:\proxy.reg
exit
:office
echo proxy ok
exit

Then, on a normal machine (without the group policy in effect) run regedit and go to the following key:
HKCU/software/microsoft/windows/current version/internet settings
highlight that hive and export it (only the selected branch) to c:\proxy.reg
Close regedit and open that file in notepad.
Leave the first two lines:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
and delete everything else except:
"ProxyEnable"=dword:00000000
Make sure it says 00000000

That turns off the proxy. Save the file and exit. Copy that file to the c: drive of the laptop in question.
Copy the batch file above to the c: drive and create a scheduled task to run the batch file every 5 minutes.

If you dont want it automated then put a shortcut to the batch file on the desktop and tell the user to run it when they log on out of the office.
0
 
LVL 1

Author Comment

by:Zaurb
ID: 20402395
Thank you!

Please, explain if there's a way to make the specific group policy be in effect only when user logs on to a domain? When I've disconected my laptop and ran gpupdate /force I thought the policy will be reset to a local policy settings. It didn't work though. I'm a bit confused because I was thinking that domain policies are in effect only when user logs into domain

0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 6

Expert Comment

by:Spot_The_Cat
ID: 20402504
Group Policy basically sets registry keys to policy values. When users log on off the domain - but with a domain account the policy will still be applied.

Also Group Policy overides Local Policy so the Aico's soluton will not resolve the problem. You may find that the solution to you problem is to have different logins  though this may be messy. Alternatively have the proxy setting set by DHCP and stop all other web traffic going out directly over the default gateway.

take a look at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21124850.html

There isn't a way to have policy applied based on where you log in from. I've seen quite a few solutions where the proxyenable option is turned off though this requires either a scheduled task or manual intervention.

I've found that if you secure your network so that users have to use the proxy then there's no danger in setting the proxy through DHCP.
0
 
LVL 11

Expert Comment

by:TWBit
ID: 20402572
Have you tried using the Automatically Detect Settings in IE? I was had the same scenario as you until I switched and now when in the office it will detect my proxy server, and out of the office it won't detect it and use a direct connection.
0
 
LVL 16

Accepted Solution

by:
btassure earned 1000 total points
ID: 20402673
If the laptops are going to be on a different subnet than the one in the office then you can quite easily code your requirements into a proxy.pac file. You can deploy the proxy.pac through group policy as well. In the GPO you would enable automatic detection of settings and enable automatic configuration, in the second type box you need to enter the URL at which you are hosting the proxy.pac (just stick it on your website - the clients can all get it then).
Create the proxy.pac in notepad as follows:
    function FindProxyForURL(url, host)
    {
    if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
    return "PROXY 192.168.1.1:8080";
    else
    return "DIRECT";
    }

Assuming that you are using 192.168.1.0/24 in the office and the proxy server is on .1:8080
Save it and if you want to test that file you can manually set it in IE's proxy settings (copy it to your c drive or something).

Note this will only work if the users are not on the same IP range at home as they are in the office otherwise the proxy.pac will be making them try to use a proxy server that is not there!
0
 
LVL 1

Author Closing Comment

by:Zaurb
ID: 31412544
Thank you very much!
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question