AJKBOC
asked on
GROUP POLICY - filtering: denied (security)
I want to set the same proxy settings for all the users in my domain. They connect on the terminal server using thin clients.
I go to User Configuration\Windows Settings\Internet Explorer Maintenance\Connection\Pro xy Settings and I set the proxy there.
I run gpupdate /force and then gpresult
The specific policy reports filtering: denied (security)
Why Im I getting that error, and how do I fix it.
Thanks
I go to User Configuration\Windows Settings\Internet Explorer Maintenance\Connection\Pro
I run gpupdate /force and then gpresult
The specific policy reports filtering: denied (security)
Why Im I getting that error, and how do I fix it.
Thanks
Hi!
Did you change Security Filtering for this particular GPO in GPMC? Does it still apply to Authenticated Users?
Toni
Did you change Security Filtering for this particular GPO in GPMC? Does it still apply to Authenticated Users?
Toni
ASKER
This is a terminal server. There are no client computers. All the users connect using thin clients. I am logged in as an administrator on the terminal server so it cant be a permissions error.
ASKER
I configured this policy to apply only for a specific test user before assigning a group on that policy.
AJ,
Do you have the GPMC installed on your DC?
/Fox
Do you have the GPMC installed on your DC?
/Fox
If I understand correctly, you removed Authenticated Users from Security filtering and added only one user account? If this is correct, than you should log on as that user, because policy will not apply to anyone else.
ASKER
Yes I do.
ASKER
toniur
This ia exactly what I did.
This ia exactly what I did.
ok... if you select the GPO what do you have under the security filtering?
As I said before, you should log on as that user to check if policy applies or change Security Filtering settings.
To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:
If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.
If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.
/Fox
If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.
If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.
/Fox
ASKER
toniur: I did login as that user and the proxy settings are empty. The policy was not applied for that user.
knightfox: test (test@mydomainname.com)
knightfox: test (test@mydomainname.com)
and under the advanced security tab?? you see read and apply group policy are ticked?
ASKER
knightfox: the test user has Read and Apply Group Policy permissions
what happens if you run my reg frag?? do the proxy settings go in ok?
Is there any entry with Deny permissions selected?
ASKER
Not a single user or group under the advanced settings have 'Deny' selected.
ASKER
knightfox: what do you mean?
ASKER
The problem occures after I remove the 'Authenticated Users' group under 'Security Filtering'
Without making ANY changes at all 'gpresult' shows no errors until I remove the 'Authenticated Users' group under 'Security Filtering'
What does this mean?
Without making ANY changes at all 'gpresult' shows no errors until I remove the 'Authenticated Users' group under 'Security Filtering'
What does this mean?
dont remove authenticated users, just remove the tick on apply group policy
/Fox
/Fox
ASKER
As soon as I removed the tick on apply group policy I get the same filtering: denied (security) error.
but you still have your test@tetetete.com in with apply right??
ASKER
yes I do.
ASKER
Come on experts!!!
AJ,
please screen shot GPMC and post it to the forum. What you are seeing is tipical permissions issues.. could you please also try to create a global security group, add your test user into this and assign it with READ and APPLY Group Policy. then try to log on as that user.
/Fox
please screen shot GPMC and post it to the forum. What you are seeing is tipical permissions issues.. could you please also try to create a global security group, add your test user into this and assign it with READ and APPLY Group Policy. then try to log on as that user.
/Fox
ASKER
These are the screenshots
http://www.aristos.net/files/expersexchange/
I've created the group called 'Internet Disabled' and I've added the tes user in that group. I run 'gpupdate /force' and then 'gpresult' and I still get the Filtering: Denied (Security) error.
http://www.aristos.net/files/expersexchange/
I've created the group called 'Internet Disabled' and I've added the tes user in that group. I run 'gpupdate /force' and then 'gpresult' and I still get the Filtering: Denied (Security) error.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
http://www.aristos.net/files/expersexchange/new/
Here are the new screenshots. The only thing I did not do is the new user. I used the test user I hope it's OK.
The new policy does not even appear in the gpresult command.
Here are the new screenshots. The only thing I did not do is the new user. I used the test user I hope it's OK.
The new policy does not even appear in the gpresult command.
I can see that you are logging in as the administrator to run the GPResult.. the GPO is not being applied to the administrator.. please log in as the "test" user.
also can you please post a screen of the settings with all expanded, I just want to check that you are setting the policy correctly.
/Fox
also can you please post a screen of the settings with all expanded, I just want to check that you are setting the policy correctly.
/Fox
ASKER
I login as an administrator to make changes on the domain. I login as test user on another remote desktop session to check if the policy was applied. But it's never applied when the gpresult reports Filtering: Denied (Security)
This is the result when running gpresult from the test user account.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\test>gpresult
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 21/10/2008 at 15:39:01
RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
-------------------------- ---------- ---------- ---------- -
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\profiles\Profiles\test.A JKBOC
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No
USER SETTINGS
--------------
CN=test,CN=Users,DC=ajkboc ,DC=com
Last time Group Policy was applied: 21/10/2008 at 15:38:47
Group Policy was applied from: application1.ajkboc.com
Group Policy slow link threshold: 500 kbps
Domain Name: AJKBOC
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Allow Logon Through Terminal Services
Filtering: Not Applied (Empty)
User Profile Path Configuration
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
Remove Disconnect from Start Menu
Filtering: Not Applied (Empty)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
C:\Documents and Settings\test>
This is a screenshot of the settings
http://www.aristos.net/files/expersexchange/1234.JPG
But even without configuring any settings for the policy, when the Authenticated Users group is removed, the policy cannot be applied.
This is the result when running gpresult from the test user account.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\test>gpresult
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 21/10/2008 at 15:39:01
RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
--------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\profiles\Profiles\test.A
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No
USER SETTINGS
--------------
CN=test,CN=Users,DC=ajkboc
Last time Group Policy was applied: 21/10/2008 at 15:38:47
Group Policy was applied from: application1.ajkboc.com
Group Policy slow link threshold: 500 kbps
Domain Name: AJKBOC
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Allow Logon Through Terminal Services
Filtering: Not Applied (Empty)
User Profile Path Configuration
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
Remove Disconnect from Start Menu
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
C:\Documents and Settings\test>
This is a screenshot of the settings
http://www.aristos.net/files/expersexchange/1234.JPG
But even without configuring any settings for the policy, when the Authenticated Users group is removed, the policy cannot be applied.
You test user is not a part of the security group that you created>????
internet disabled.......
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
internet disabled.......
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
ASKER
He was not a member because I was running some tests and I removed him. He is in that group now. But what difference will this make if the policy cannot be applied to the group?
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\test>gpresult
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 21/10/2008 at 16:05:34
RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
-------------------------- ---------- ---------- ---------- -
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\profiles\Profiles\test.A JKBOC
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No
USER SETTINGS
--------------
CN=test,CN=Users,DC=ajkboc ,DC=com
Last time Group Policy was applied: 21/10/2008 at 16:05:23
Group Policy was applied from: application1.ajkboc.com
Group Policy slow link threshold: 500 kbps
Domain Name: AJKBOC
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Allow Logon Through Terminal Services
Filtering: Not Applied (Empty)
User Profile Path Configuration
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
Remove Disconnect from Start Menu
Filtering: Not Applied (Empty)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Internet Disabled
C:\Documents and Settings\test>
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\test>gpresult
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 21/10/2008 at 16:05:34
RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
--------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\profiles\Profiles\test.A
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No
USER SETTINGS
--------------
CN=test,CN=Users,DC=ajkboc
Last time Group Policy was applied: 21/10/2008 at 16:05:23
Group Policy was applied from: application1.ajkboc.com
Group Policy slow link threshold: 500 kbps
Domain Name: AJKBOC
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Allow Logon Through Terminal Services
Filtering: Not Applied (Empty)
User Profile Path Configuration
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
Remove Disconnect from Start Menu
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Internet Disabled
C:\Documents and Settings\test>
ASKER
I don't know what I was doing wrong, but the following worked.
Open Group Policy Management
Under the domain name, create a new Organizational Unit named Block Internet
Under the Block Internet OU create and link a GPO named Proxy Policy
Edit Proxy Policy and go to User Configuration Windows Settings Internet Explorer Maintenance Connection Proxy Settings and configure proxy settings.
Open Active Directory Users and Computers and drag and drop a test user in the Block Internet
Run gpupdate /force on the domain.
So you get the points.
Open Group Policy Management
Under the domain name, create a new Organizational Unit named Block Internet
Under the Block Internet OU create and link a GPO named Proxy Policy
Edit Proxy Policy and go to User Configuration Windows Settings Internet Explorer Maintenance Connection Proxy Settings and configure proxy settings.
Open Active Directory Users and Computers and drag and drop a test user in the Block Internet
Run gpupdate /force on the domain.
So you get the points.
Save the following as a .reg file and see if you can run it on the client. You will need to change the ip and port and also the execptions list before doing so.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Softwar
"ProxyServer"="000.000.000
"ProxyEnable"=dword:000000
"ProxyOverride"="<local>;*
/Fox