Group Policy for Laptops

Posted on 2007-12-04
Medium Priority
Last Modified: 2013-12-08

I have created a group policy that would set connection to proxy in Internet Explorer and remove Connections tab from Tools->Options. This group policy is applied to User Accounts. I was expecting that once the user is connected to domain his pc will take settings of the group policy and whenhe is out of office, he will use his standard settings, i.e. no proxy information. However, it doesn't work this way. Once computer takes the group policy even out of the office this settings are not nulled. How can I resolve this issue? Thank you very much!
Question by:Zaurb

Expert Comment

ID: 20401681
You could try setting the Local Security Policy setting. Maybe when the machine doesn't detect the domain it reverts back to the Local Security Policy, but I'm not sure about that.
LVL 16

Expert Comment

ID: 20402105
I would create a batch file that runs a registry entry that removes the proxy when the user is offsite. Group policy will take priority in the office and override any other settings. :o)

Create the following batch file:
@echo off
regedit /s c:\proxy.reg

Or if you want to be clever and do this automatically then put a read only text file in a shared drive on the server and put some random text in it. Call it for example h:\proxycheck.txt
and make your batch file read:
@echo off
if exist h:\proxycheck.txt goto office else goto away
regedit /s c:\proxy.reg
echo proxy ok

Then, on a normal machine (without the group policy in effect) run regedit and go to the following key:
HKCU/software/microsoft/windows/current version/internet settings
highlight that hive and export it (only the selected branch) to c:\proxy.reg
Close regedit and open that file in notepad.
Leave the first two lines:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
and delete everything else except:
Make sure it says 00000000

That turns off the proxy. Save the file and exit. Copy that file to the c: drive of the laptop in question.
Copy the batch file above to the c: drive and create a scheduled task to run the batch file every 5 minutes.

If you dont want it automated then put a shortcut to the batch file on the desktop and tell the user to run it when they log on out of the office.

Author Comment

ID: 20402395
Thank you!

Please, explain if there's a way to make the specific group policy be in effect only when user logs on to a domain? When I've disconected my laptop and ran gpupdate /force I thought the policy will be reset to a local policy settings. It didn't work though. I'm a bit confused because I was thinking that domain policies are in effect only when user logs into domain

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Expert Comment

ID: 20402504
Group Policy basically sets registry keys to policy values. When users log on off the domain - but with a domain account the policy will still be applied.

Also Group Policy overides Local Policy so the Aico's soluton will not resolve the problem. You may find that the solution to you problem is to have different logins  though this may be messy. Alternatively have the proxy setting set by DHCP and stop all other web traffic going out directly over the default gateway.

take a look at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21124850.html

There isn't a way to have policy applied based on where you log in from. I've seen quite a few solutions where the proxyenable option is turned off though this requires either a scheduled task or manual intervention.

I've found that if you secure your network so that users have to use the proxy then there's no danger in setting the proxy through DHCP.
LVL 11

Expert Comment

ID: 20402572
Have you tried using the Automatically Detect Settings in IE? I was had the same scenario as you until I switched and now when in the office it will detect my proxy server, and out of the office it won't detect it and use a direct connection.
LVL 16

Accepted Solution

btassure earned 1000 total points
ID: 20402673
If the laptops are going to be on a different subnet than the one in the office then you can quite easily code your requirements into a proxy.pac file. You can deploy the proxy.pac through group policy as well. In the GPO you would enable automatic detection of settings and enable automatic configuration, in the second type box you need to enter the URL at which you are hosting the proxy.pac (just stick it on your website - the clients can all get it then).
Create the proxy.pac in notepad as follows:
    function FindProxyForURL(url, host)
    if (isInNet(myIpAddress(), "", ""))
    return "PROXY";
    return "DIRECT";

Assuming that you are using in the office and the proxy server is on .1:8080
Save it and if you want to test that file you can manually set it in IE's proxy settings (copy it to your c drive or something).

Note this will only work if the users are not on the same IP range at home as they are in the office otherwise the proxy.pac will be making them try to use a proxy server that is not there!

Author Closing Comment

ID: 31412544
Thank you very much!

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question