[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10121
  • Last Modified:

GROUP POLICY - filtering: denied (security)

I want to set the same proxy settings for all the users in my domain. They connect on the terminal server using thin clients.

I go to User Configuration\Windows Settings\Internet Explorer Maintenance\Connection\Proxy Settings and I set the proxy there.

I run gpupdate /force and then gpresult

The specific policy reports filtering: denied (security)

Why Im I getting that error, and how do I fix it.

Thanks
0
AJKBOC
Asked:
AJKBOC
  • 17
  • 12
  • 4
1 Solution
 
knightfoxCommented:
seems the user account you are running under does not have permission to change the registery key.  this usually runs under the system account at logon.

Save the following as a .reg file and see if you can run it on the client.  You will need to change the ip and port and also the execptions list before doing so.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="000.000.000.000:8080"
"ProxyEnable"=dword:00000001
"ProxyOverride"="<local>;*.*.*.*."


/Fox
0
 
Toni UranjekConsultant/TrainerCommented:
Hi!

Did you change Security Filtering for this particular GPO in GPMC? Does it still apply to Authenticated Users?

Toni
0
 
AJKBOCAuthor Commented:
This is a terminal server. There are no client computers. All the users connect using thin clients. I am logged in as an administrator on the terminal server so it cant be a permissions error.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
AJKBOCAuthor Commented:
I configured this policy to apply only for a specific test user before assigning a group on that policy.
0
 
knightfoxCommented:
AJ,

Do you have the GPMC installed on your DC?

/Fox
0
 
Toni UranjekConsultant/TrainerCommented:
If I understand correctly, you removed Authenticated Users from Security filtering and added only one user account? If this is correct, than you should log on as that user, because policy will not apply to anyone else.
0
 
AJKBOCAuthor Commented:
Yes I do.
0
 
AJKBOCAuthor Commented:
toniur

This ia exactly what I did.
0
 
knightfoxCommented:
ok... if you select the GPO what do you have under the security filtering?
0
 
Toni UranjekConsultant/TrainerCommented:
As I said before, you should log on as that user to check if policy applies or change Security Filtering settings.
0
 
knightfoxCommented:
To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:

If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.

If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.

/Fox
0
 
AJKBOCAuthor Commented:
toniur: I did login as that user and the proxy settings are empty. The policy was not applied for that user.

knightfox: test (test@mydomainname.com)
0
 
knightfoxCommented:
and under the advanced security tab?? you see read and apply group policy are ticked?
0
 
AJKBOCAuthor Commented:
knightfox: the test user has Read and Apply Group Policy permissions
0
 
knightfoxCommented:
what happens if you run my reg frag?? do the proxy settings go in ok?
0
 
Toni UranjekConsultant/TrainerCommented:
Is there any entry with Deny permissions selected?
0
 
AJKBOCAuthor Commented:
Not a single user or group under the advanced settings have 'Deny' selected.
0
 
AJKBOCAuthor Commented:
knightfox: what do you mean?
0
 
AJKBOCAuthor Commented:
The problem occures after I remove the 'Authenticated Users' group under 'Security Filtering'

Without making ANY changes at all 'gpresult' shows no errors until I remove the 'Authenticated Users' group under 'Security Filtering'

What does this mean?
0
 
knightfoxCommented:
dont remove authenticated users, just remove the tick on apply group policy

/Fox
0
 
AJKBOCAuthor Commented:
As soon as I removed the tick on apply group policy I get the same filtering: denied (security) error.
0
 
knightfoxCommented:
but you still have your test@tetetete.com in with apply right??
0
 
AJKBOCAuthor Commented:
yes I do.
0
 
AJKBOCAuthor Commented:
Come on experts!!!
0
 
knightfoxCommented:
AJ,

please screen shot GPMC and post it to the forum.  What you are seeing is tipical permissions issues.. could you please also try to create a global security group, add your test user into this and assign it with READ and APPLY Group Policy.  then try to log on as that user.

/Fox
0
 
AJKBOCAuthor Commented:
These are the screenshots

http://www.aristos.net/files/expersexchange/

I've created the group called 'Internet Disabled' and I've added the tes user in that group. I run 'gpupdate /force' and then 'gpresult' and I still get the Filtering:  Denied (Security) error.
0
 
knightfoxCommented:
ok lets go from the top,

Create a new OU and call it user accounts.  using the GPMC delete the current link and group policy.  Create a new GPO object at the newly created user account OU and change the proxy setting to what you need.

Create a new user and add it into the internet disabled group.  assign this group to the new GPO

Please let me know how you get on.

/Fox
0
 
AJKBOCAuthor Commented:
http://www.aristos.net/files/expersexchange/new/

Here are the new screenshots. The only thing I did not do is the new user. I used the test user I hope it's OK.

The new policy does not even appear in the gpresult command.
0
 
knightfoxCommented:
I can see that you are logging in as the administrator to run the GPResult.. the GPO is not being applied to the administrator.. please log in as the "test" user.

also can you please post a screen of the settings with all expanded, I just want to check that you are setting the policy correctly.

/Fox
0
 
AJKBOCAuthor Commented:
I login as an administrator to make changes on the domain. I login as test user on another remote desktop session to check if the policy was applied. But it's never applied when the gpresult reports Filtering:  Denied (Security)

This is the result when running gpresult from the test user account.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 15:39:01


RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\profiles\Profiles\test.AJKBOC
Local Profile:               C:\Documents and Settings\test
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=test,CN=Users,DC=ajkboc,DC=com
    Last time Group Policy was applied: 21/10/2008 at 15:38:47
    Group Policy was applied from:      application1.ajkboc.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AJKBOC
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow Logon Through Terminal Services
            Filtering:  Not Applied (Empty)

        User Profile Path Configuration
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Remove Disconnect from Start Menu
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL

C:\Documents and Settings\test>


This is a screenshot of the settings

http://www.aristos.net/files/expersexchange/1234.JPG

But even without configuring any settings for the policy, when the Authenticated Users group is removed, the policy cannot be applied.
0
 
knightfoxCommented:
You test user is not a part of the security group that you created>????

internet disabled.......


The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
0
 
AJKBOCAuthor Commented:
He was not a member because I was running some tests and I removed him. He is in that group now. But what difference will this make if the policy cannot be applied to the group?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 16:05:34


RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\profiles\Profiles\test.AJKBOC
Local Profile:               C:\Documents and Settings\test
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=test,CN=Users,DC=ajkboc,DC=com
    Last time Group Policy was applied: 21/10/2008 at 16:05:23
    Group Policy was applied from:      application1.ajkboc.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AJKBOC
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow Logon Through Terminal Services
            Filtering:  Not Applied (Empty)

        User Profile Path Configuration
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Remove Disconnect from Start Menu
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Internet Disabled

C:\Documents and Settings\test>
0
 
AJKBOCAuthor Commented:
I don't know what I was doing wrong, but the following worked.

Open Group Policy Management

Under the domain name, create a new Organizational Unit named Block Internet

Under the Block Internet OU create and link a GPO named Proxy Policy

Edit Proxy Policy and go to User Configuration Windows Settings Internet Explorer Maintenance Connection Proxy Settings and configure proxy settings.

Open Active Directory Users and Computers and drag and drop a test user in the Block Internet

Run gpupdate /force on the domain.

So you get the points.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 17
  • 12
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now