Start Free Trial

asked on

GROUP POLICY - filtering: denied (security)

I want to set the same proxy settings for all the users in my domain. They connect on the terminal server using thin clients.

I go to User Configuration\Windows Settings\Internet Explorer Maintenance\Connection\Proxy Settings and I set the proxy there.

I run gpupdate /force and then gpresult

The specific policy reports filtering: denied (security)

Why Im I getting that error, and how do I fix it.

Thanks

seems the user account you are running under does not have permission to change the registery key. this usually runs under the system account at logon.

Save the following as a .reg file and see if you can run it on the client. You will need to change the ip and port and also the execptions list before doing so.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="000.000.000.000:8080"
"ProxyEnable"=dword:00000001
"ProxyOverride"="<local>;*.*.*.*."

/Fox

Hi!

Did you change Security Filtering for this particular GPO in GPMC? Does it still apply to Authenticated Users?

Toni

ASKER

This is a terminal server. There are no client computers. All the users connect using thin clients. I am logged in as an administrator on the terminal server so it cant be a permissions error.

ASKER

I configured this policy to apply only for a specific test user before assigning a group on that policy.

AJ,

Do you have the GPMC installed on your DC?

/Fox

If I understand correctly, you removed Authenticated Users from Security filtering and added only one user account? If this is correct, than you should log on as that user, because policy will not apply to anyone else.

ASKER

Yes I do.

ASKER

toniur

This ia exactly what I did.

ok... if you select the GPO what do you have under the security filtering?

As I said before, you should log on as that user to check if policy applies or change Security Filtering settings.

To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:

If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.

If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.

/Fox

ASKER

toniur: I did login as that user and the proxy settings are empty. The policy was not applied for that user.

knightfox: test (test@mydomainname.com)

and under the advanced security tab?? you see read and apply group policy are ticked?

ASKER

knightfox: the test user has Read and Apply Group Policy permissions

what happens if you run my reg frag?? do the proxy settings go in ok?

Is there any entry with Deny permissions selected?

ASKER

Not a single user or group under the advanced settings have 'Deny' selected.

ASKER

knightfox: what do you mean?

ASKER

The problem occures after I remove the 'Authenticated Users' group under 'Security Filtering'

Without making ANY changes at all 'gpresult' shows no errors until I remove the 'Authenticated Users' group under 'Security Filtering'

What does this mean?

dont remove authenticated users, just remove the tick on apply group policy

/Fox

ASKER

As soon as I removed the tick on apply group policy I get the same filtering: denied (security) error.

but you still have your test@tetetete.com in with apply right??

ASKER

yes I do.

ASKER

Come on experts!!!

AJ,

please screen shot GPMC and post it to the forum. What you are seeing is tipical permissions issues.. could you please also try to create a global security group, add your test user into this and assign it with READ and APPLY Group Policy. then try to log on as that user.

/Fox

ASKER

These are the screenshots

http://www.aristos.net/files/expersexchange/

I've created the group called 'Internet Disabled' and I've added the tes user in that group. I run 'gpupdate /force' and then 'gpresult' and I still get the Filtering: Denied (Security) error.

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

http://www.aristos.net/files/expersexchange/new/

Here are the new screenshots. The only thing I did not do is the new user. I used the test user I hope it's OK.

The new policy does not even appear in the gpresult command.

I can see that you are logging in as the administrator to run the GPResult.. the GPO is not being applied to the administrator.. please log in as the "test" user.

also can you please post a screen of the settings with all expanded, I just want to check that you are setting the policy correctly.

/Fox

ASKER

I login as an administrator to make changes on the domain. I login as test user on another remote desktop session to check if the policy was applied. But it's never applied when the gpresult reports Filtering: Denied (Security)

This is the result when running gpresult from the test user account.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 15:39:01

RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\profiles\Profiles\test.AJKBOC
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No

USER SETTINGS
--------------
CN=test,CN=Users,DC=ajkboc,DC=com
Last time Group Policy was applied: 21/10/2008 at 15:38:47
Group Policy was applied from: application1.ajkboc.com
Group Policy slow link threshold: 500 kbps
Domain Name: AJKBOC
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Allow Logon Through Terminal Services
Filtering: Not Applied (Empty)

User Profile Path Configuration
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

Remove Disconnect from Start Menu
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL

C:\Documents and Settings\test>

This is a screenshot of the settings

http://www.aristos.net/files/expersexchange/1234.JPG

But even without configuring any settings for the policy, when the Authenticated Users group is removed, the policy cannot be applied.

You test user is not a part of the security group that you created>????

internet disabled.......

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL

ASKER

He was not a member because I was running some tests and I removed him. He is in that group now. But what difference will this make if the policy cannot be applied to the group?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 16:05:34

RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\profiles\Profiles\test.AJKBOC
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No

USER SETTINGS
--------------
CN=test,CN=Users,DC=ajkboc,DC=com
Last time Group Policy was applied: 21/10/2008 at 16:05:23
Group Policy was applied from: application1.ajkboc.com
Group Policy slow link threshold: 500 kbps
Domain Name: AJKBOC
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Allow Logon Through Terminal Services
Filtering: Not Applied (Empty)

User Profile Path Configuration
Filtering: Not Applied (Empty)

Local Group Policy
Filtering: Not Applied (Empty)

Remove Disconnect from Start Menu
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Internet Disabled

C:\Documents and Settings\test>

ASKER

I don't know what I was doing wrong, but the following worked.

Open Group Policy Management

Under the domain name, create a new Organizational Unit named Block Internet

Under the Block Internet OU create and link a GPO named Proxy Policy

Edit Proxy Policy and go to User Configuration Windows Settings Internet Explorer Maintenance Connection Proxy Settings and configure proxy settings.

Open Active Directory Users and Computers and drag and drop a test user in the Block Internet

Run gpupdate /force on the domain.

So you get the points.