Solved

GROUP POLICY - filtering: denied (security)

Posted on 2008-10-20
33
8,577 Views
Last Modified: 2013-12-04
I want to set the same proxy settings for all the users in my domain. They connect on the terminal server using thin clients.

I go to User Configuration\Windows Settings\Internet Explorer Maintenance\Connection\Proxy Settings and I set the proxy there.

I run gpupdate /force and then gpresult

The specific policy reports filtering: denied (security)

Why Im I getting that error, and how do I fix it.

Thanks
0
Comment
Question by:AJKBOC
  • 17
  • 12
  • 4
33 Comments
 
LVL 7

Expert Comment

by:knightfox
ID: 22756966
seems the user account you are running under does not have permission to change the registery key.  this usually runs under the system account at logon.

Save the following as a .reg file and see if you can run it on the client.  You will need to change the ip and port and also the execptions list before doing so.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="000.000.000.000:8080"
"ProxyEnable"=dword:00000001
"ProxyOverride"="<local>;*.*.*.*."


/Fox
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22756985
Hi!

Did you change Security Filtering for this particular GPO in GPMC? Does it still apply to Authenticated Users?

Toni
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757000
This is a terminal server. There are no client computers. All the users connect using thin clients. I am logged in as an administrator on the terminal server so it cant be a permissions error.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 2

Author Comment

by:AJKBOC
ID: 22757009
I configured this policy to apply only for a specific test user before assigning a group on that policy.
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22757040
AJ,

Do you have the GPMC installed on your DC?

/Fox
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22757052
If I understand correctly, you removed Authenticated Users from Security filtering and added only one user account? If this is correct, than you should log on as that user, because policy will not apply to anyone else.
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757054
Yes I do.
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757063
toniur

This ia exactly what I did.
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22757066
ok... if you select the GPO what do you have under the security filtering?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22757080
As I said before, you should log on as that user to check if policy applies or change Security Filtering settings.
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22757092
To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:

If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.

If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757097
toniur: I did login as that user and the proxy settings are empty. The policy was not applied for that user.

knightfox: test (test@mydomainname.com)
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22757134
and under the advanced security tab?? you see read and apply group policy are ticked?
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757147
knightfox: the test user has Read and Apply Group Policy permissions
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22757166
what happens if you run my reg frag?? do the proxy settings go in ok?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22757170
Is there any entry with Deny permissions selected?
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757184
Not a single user or group under the advanced settings have 'Deny' selected.
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757188
knightfox: what do you mean?
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757410
The problem occures after I remove the 'Authenticated Users' group under 'Security Filtering'

Without making ANY changes at all 'gpresult' shows no errors until I remove the 'Authenticated Users' group under 'Security Filtering'

What does this mean?
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22757471
dont remove authenticated users, just remove the tick on apply group policy

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757556
As soon as I removed the tick on apply group policy I get the same filtering: denied (security) error.
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22757652
but you still have your test@tetetete.com in with apply right??
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22757703
yes I do.
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22764359
Come on experts!!!
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22764923
AJ,

please screen shot GPMC and post it to the forum.  What you are seeing is tipical permissions issues.. could you please also try to create a global security group, add your test user into this and assign it with READ and APPLY Group Policy.  then try to log on as that user.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22764978
These are the screenshots

http://www.aristos.net/files/expersexchange/

I've created the group called 'Internet Disabled' and I've added the tes user in that group. I run 'gpupdate /force' and then 'gpresult' and I still get the Filtering:  Denied (Security) error.
0
 
LVL 7

Accepted Solution

by:
knightfox earned 500 total points
ID: 22765025
ok lets go from the top,

Create a new OU and call it user accounts.  using the GPMC delete the current link and group policy.  Create a new GPO object at the newly created user account OU and change the proxy setting to what you need.

Create a new user and add it into the internet disabled group.  assign this group to the new GPO

Please let me know how you get on.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22765520
http://www.aristos.net/files/expersexchange/new/

Here are the new screenshots. The only thing I did not do is the new user. I used the test user I hope it's OK.

The new policy does not even appear in the gpresult command.
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22765933
I can see that you are logging in as the administrator to run the GPResult.. the GPO is not being applied to the administrator.. please log in as the "test" user.

also can you please post a screen of the settings with all expanded, I just want to check that you are setting the policy correctly.

/Fox
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22766686
I login as an administrator to make changes on the domain. I login as test user on another remote desktop session to check if the policy was applied. But it's never applied when the gpresult reports Filtering:  Denied (Security)

This is the result when running gpresult from the test user account.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 15:39:01


RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\profiles\Profiles\test.AJKBOC
Local Profile:               C:\Documents and Settings\test
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=test,CN=Users,DC=ajkboc,DC=com
    Last time Group Policy was applied: 21/10/2008 at 15:38:47
    Group Policy was applied from:      application1.ajkboc.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AJKBOC
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow Logon Through Terminal Services
            Filtering:  Not Applied (Empty)

        User Profile Path Configuration
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Remove Disconnect from Start Menu
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL

C:\Documents and Settings\test>


This is a screenshot of the settings

http://www.aristos.net/files/expersexchange/1234.JPG

But even without configuring any settings for the policy, when the Authenticated Users group is removed, the policy cannot be applied.
0
 
LVL 7

Expert Comment

by:knightfox
ID: 22766811
You test user is not a part of the security group that you created>????

internet disabled.......


The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22766870
He was not a member because I was running some tests and I removed him. He is in that group now. But what difference will this make if the policy cannot be applied to the group?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\test>gpresult

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 21/10/2008 at 16:05:34


RSOP data for AJKBOC\test on APPLICATION1 : Logging Mode
---------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edi
tion
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\profiles\Profiles\test.AJKBOC
Local Profile:               C:\Documents and Settings\test
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=test,CN=Users,DC=ajkboc,DC=com
    Last time Group Policy was applied: 21/10/2008 at 16:05:23
    Group Policy was applied from:      application1.ajkboc.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AJKBOC
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow Logon Through Terminal Services
            Filtering:  Not Applied (Empty)

        User Profile Path Configuration
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Remove Disconnect from Start Menu
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Internet Disabled

C:\Documents and Settings\test>
0
 
LVL 2

Author Comment

by:AJKBOC
ID: 22838359
I don't know what I was doing wrong, but the following worked.

Open Group Policy Management

Under the domain name, create a new Organizational Unit named Block Internet

Under the Block Internet OU create and link a GPO named Proxy Policy

Edit Proxy Policy and go to User Configuration Windows Settings Internet Explorer Maintenance Connection Proxy Settings and configure proxy settings.

Open Active Directory Users and Computers and drag and drop a test user in the Block Internet

Run gpupdate /force on the domain.

So you get the points.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now