Solved

GROUP POLICY - filtering: denied (security)

Posted on 2008-10-20
33
8,374 Views
Last Modified: 2013-12-04
I want to set the same proxy settings for all the users in my domain. They connect on the terminal server using thin clients.

I go to User Configuration\Windows Settings\Internet Explorer Maintenance\Connection\Proxy Settings and I set the proxy there.

I run gpupdate /force and then gpresult

The specific policy reports filtering: denied (security)

Why Im I getting that error, and how do I fix it.

Thanks
0
Comment
Question by:AJKBOC
  • 17
  • 12
  • 4
33 Comments
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
seems the user account you are running under does not have permission to change the registery key.  this usually runs under the system account at logon.

Save the following as a .reg file and see if you can run it on the client.  You will need to change the ip and port and also the execptions list before doing so.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="000.000.000.000:8080"
"ProxyEnable"=dword:00000001
"ProxyOverride"="<local>;*.*.*.*."


/Fox
0
 
LVL 31

Expert Comment

by:Toni Uranjek
Comment Utility
Hi!

Did you change Security Filtering for this particular GPO in GPMC? Does it still apply to Authenticated Users?

Toni
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
This is a terminal server. There are no client computers. All the users connect using thin clients. I am logged in as an administrator on the terminal server so it cant be a permissions error.
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
I configured this policy to apply only for a specific test user before assigning a group on that policy.
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
AJ,

Do you have the GPMC installed on your DC?

/Fox
0
 
LVL 31

Expert Comment

by:Toni Uranjek
Comment Utility
If I understand correctly, you removed Authenticated Users from Security filtering and added only one user account? If this is correct, than you should log on as that user, because policy will not apply to anyone else.
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
Yes I do.
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
toniur

This ia exactly what I did.
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
ok... if you select the GPO what do you have under the security filtering?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
Comment Utility
As I said before, you should log on as that user to check if policy applies or change Security Filtering settings.
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:

If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.

If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
toniur: I did login as that user and the proxy settings are empty. The policy was not applied for that user.

knightfox: test (test@mydomainname.com)
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
and under the advanced security tab?? you see read and apply group policy are ticked?
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
knightfox: the test user has Read and Apply Group Policy permissions
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
what happens if you run my reg frag?? do the proxy settings go in ok?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
Comment Utility
Is there any entry with Deny permissions selected?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
Not a single user or group under the advanced settings have 'Deny' selected.
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
knightfox: what do you mean?
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
The problem occures after I remove the 'Authenticated Users' group under 'Security Filtering'

Without making ANY changes at all 'gpresult' shows no errors until I remove the 'Authenticated Users' group under 'Security Filtering'

What does this mean?
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
dont remove authenticated users, just remove the tick on apply group policy

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
As soon as I removed the tick on apply group policy I get the same filtering: denied (security) error.
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
but you still have your test@tetetete.com in with apply right??
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
yes I do.
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
Come on experts!!!
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
AJ,

please screen shot GPMC and post it to the forum.  What you are seeing is tipical permissions issues.. could you please also try to create a global security group, add your test user into this and assign it with READ and APPLY Group Policy.  then try to log on as that user.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
These are the screenshots

http://www.aristos.net/files/expersexchange/

I've created the group called 'Internet Disabled' and I've added the tes user in that group. I run 'gpupdate /force' and then 'gpresult' and I still get the Filtering:  Denied (Security) error.
0
 
LVL 7

Accepted Solution

by:
knightfox earned 500 total points
Comment Utility
ok lets go from the top,

Create a new OU and call it user accounts.  using the GPMC delete the current link and group policy.  Create a new GPO object at the newly created user account OU and change the proxy setting to what you need.

Create a new user and add it into the internet disabled group.  assign this group to the new GPO

Please let me know how you get on.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
http://www.aristos.net/files/expersexchange/new/

Here are the new screenshots. The only thing I did not do is the new user. I used the test user I hope it's OK.

The new policy does not even appear in the gpresult command.
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
I can see that you are logging in as the administrator to run the GPResult.. the GPO is not being applied to the administrator.. please log in as the "test" user.

also can you please post a screen of the settings with all expanded, I just want to check that you are setting the policy correctly.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
I login as an administrator to make changes on the domain. I login as test user on another remote desktop session to check if the policy was applied. But it's never applied when the gpresult reports Filtering:  Denied (Security)

This is the result when running gpresult from the test user account.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 15:39:01


RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\profiles\Profiles\test.AJKBOC
Local Profile:               C:\Documents and Settings\test
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=test,CN=Users,DC=ajkboc,DC=com
    Last time Group Policy was applied: 21/10/2008 at 15:38:47
    Group Policy was applied from:      application1.ajkboc.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AJKBOC
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow Logon Through Terminal Services
            Filtering:  Not Applied (Empty)

        User Profile Path Configuration
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Remove Disconnect from Start Menu
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL

C:\Documents and Settings\test>


This is a screenshot of the settings

http://www.aristos.net/files/expersexchange/1234.JPG

But even without configuring any settings for the policy, when the Authenticated Users group is removed, the policy cannot be applied.
0
 
LVL 7

Expert Comment

by:knightfox
Comment Utility
You test user is not a part of the security group that you created>????

internet disabled.......


The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
He was not a member because I was running some tests and I removed him. He is in that group now. But what difference will this make if the policy cannot be applied to the group?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 16:05:34


RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\profiles\Profiles\test.AJKBOC
Local Profile:               C:\Documents and Settings\test
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=test,CN=Users,DC=ajkboc,DC=com
    Last time Group Policy was applied: 21/10/2008 at 16:05:23
    Group Policy was applied from:      application1.ajkboc.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AJKBOC
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow Logon Through Terminal Services
            Filtering:  Not Applied (Empty)

        User Profile Path Configuration
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Remove Disconnect from Start Menu
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Internet Disabled

C:\Documents and Settings\test>
0
 
LVL 2

Author Comment

by:AJKBOC
Comment Utility
I don't know what I was doing wrong, but the following worked.

Open Group Policy Management

Under the domain name, create a new Organizational Unit named Block Internet

Under the Block Internet OU create and link a GPO named Proxy Policy

Edit Proxy Policy and go to User Configuration Windows Settings Internet Explorer Maintenance Connection Proxy Settings and configure proxy settings.

Open Active Directory Users and Computers and drag and drop a test user in the Block Internet

Run gpupdate /force on the domain.

So you get the points.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now