Solved

Group Policy for Laptops

Posted on 2007-12-04
7
2,008 Views
Last Modified: 2013-12-08
Hi!

I have created a group policy that would set connection to proxy in Internet Explorer and remove Connections tab from Tools->Options. This group policy is applied to User Accounts. I was expecting that once the user is connected to domain his pc will take settings of the group policy and whenhe is out of office, he will use his standard settings, i.e. no proxy information. However, it doesn't work this way. Once computer takes the group policy even out of the office this settings are not nulled. How can I resolve this issue? Thank you very much!
0
Comment
Question by:Zaurb
7 Comments
 
LVL 3

Expert Comment

by:Aico
ID: 20401681
You could try setting the Local Security Policy setting. Maybe when the machine doesn't detect the domain it reverts back to the Local Security Policy, but I'm not sure about that.
0
 
LVL 16

Expert Comment

by:btassure
ID: 20402105
I would create a batch file that runs a registry entry that removes the proxy when the user is offsite. Group policy will take priority in the office and override any other settings. :o)

Create the following batch file:
@echo off
regedit /s c:\proxy.reg
exit

Or if you want to be clever and do this automatically then put a read only text file in a shared drive on the server and put some random text in it. Call it for example h:\proxycheck.txt
and make your batch file read:
@echo off
if exist h:\proxycheck.txt goto office else goto away
:away
regedit /s c:\proxy.reg
exit
:office
echo proxy ok
exit

Then, on a normal machine (without the group policy in effect) run regedit and go to the following key:
HKCU/software/microsoft/windows/current version/internet settings
highlight that hive and export it (only the selected branch) to c:\proxy.reg
Close regedit and open that file in notepad.
Leave the first two lines:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
and delete everything else except:
"ProxyEnable"=dword:00000000
Make sure it says 00000000

That turns off the proxy. Save the file and exit. Copy that file to the c: drive of the laptop in question.
Copy the batch file above to the c: drive and create a scheduled task to run the batch file every 5 minutes.

If you dont want it automated then put a shortcut to the batch file on the desktop and tell the user to run it when they log on out of the office.
0
 
LVL 1

Author Comment

by:Zaurb
ID: 20402395
Thank you!

Please, explain if there's a way to make the specific group policy be in effect only when user logs on to a domain? When I've disconected my laptop and ran gpupdate /force I thought the policy will be reset to a local policy settings. It didn't work though. I'm a bit confused because I was thinking that domain policies are in effect only when user logs into domain

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 6

Expert Comment

by:Spot_The_Cat
ID: 20402504
Group Policy basically sets registry keys to policy values. When users log on off the domain - but with a domain account the policy will still be applied.

Also Group Policy overides Local Policy so the Aico's soluton will not resolve the problem. You may find that the solution to you problem is to have different logins  though this may be messy. Alternatively have the proxy setting set by DHCP and stop all other web traffic going out directly over the default gateway.

take a look at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21124850.html

There isn't a way to have policy applied based on where you log in from. I've seen quite a few solutions where the proxyenable option is turned off though this requires either a scheduled task or manual intervention.

I've found that if you secure your network so that users have to use the proxy then there's no danger in setting the proxy through DHCP.
0
 
LVL 11

Expert Comment

by:TWBit
ID: 20402572
Have you tried using the Automatically Detect Settings in IE? I was had the same scenario as you until I switched and now when in the office it will detect my proxy server, and out of the office it won't detect it and use a direct connection.
0
 
LVL 16

Accepted Solution

by:
btassure earned 250 total points
ID: 20402673
If the laptops are going to be on a different subnet than the one in the office then you can quite easily code your requirements into a proxy.pac file. You can deploy the proxy.pac through group policy as well. In the GPO you would enable automatic detection of settings and enable automatic configuration, in the second type box you need to enter the URL at which you are hosting the proxy.pac (just stick it on your website - the clients can all get it then).
Create the proxy.pac in notepad as follows:
    function FindProxyForURL(url, host)
    {
    if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
    return "PROXY 192.168.1.1:8080";
    else
    return "DIRECT";
    }

Assuming that you are using 192.168.1.0/24 in the office and the proxy server is on .1:8080
Save it and if you want to test that file you can manually set it in IE's proxy settings (copy it to your c drive or something).

Note this will only work if the users are not on the same IP range at home as they are in the office otherwise the proxy.pac will be making them try to use a proxy server that is not there!
0
 
LVL 1

Author Closing Comment

by:Zaurb
ID: 31412544
Thank you very much!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article runs through the process of deploying a single EXE application selectively to a group of user.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question