Proxy Settings will not update changes via Group Policy

Posted on 2008-10-29
Last Modified: 2013-12-08
On our domain, we use AD Group Policy to push out proxy settings to the computers/users.  We also have enabled "Make Proxy Settings per machine."
"Disable changing proxy settings" is NOT configured at all.

Now, I'm trying to push out a change to the proxy settings.  We have added an exclusion to the sites that bypass the proxy.

Logging in as a regular user that already has a local profile created (ie... they've logged in to that workstation before) fails to update the proxy settings with the new exclusion, and they cannot access the site.  If I use Group Policy Management to run the GP Results for that user on that machine, the report says that they have the new exclusion, but the local workstation doesn't appear to update properly.

However, if I log in to that workstation as an administrator, the new proxy settings are downloaded and applied to ALL users, including the old regular user who coudn't receive the update before the admin login.  We have 90 workstations spread out over 200 miles, and I'm not keen on logging in to every workstation as an administrator to force the update.

Why won't the ammended proxy settings replicate to the workstations when a regular user logs in even though GP Management says that they should have the new setting?  Is there a way to force this change without logging in to every workstation administratively?
Question by:Hayzeus

Expert Comment

ID: 22835559
You could try having them open a command prompt and type:   gpupdate /force   then see what happens.
LVL 35

Expert Comment

by:Joseph Daly
ID: 22835583
Under the group policy in GPMC on the delegation tab do you have the authenticated users with Read permission?

Also you may want to try right clicking on the gpo linked to the OU and select enforce on the menu.

Finally on the client machine try running GPUPDATE /FORCE a couple times followed by a reboot.

Accepted Solution

chadpants earned 250 total points
ID: 22836269
A couple of things we had to try when we had a similar situation in our environment:

- In GPMC under Computer Configuration->Administrative Templates->System/Group Policy set Loopback Processing mode to Enabled- Replace.

- Drill down into your sysvol folder and make sure to give Everyone read permissions on the Policies folder. We had given read permissions to Authenticated Users, but we were applying the policy to computer objects, which are not considered authenticated users.
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 22836733
Hi, thanks for the replies.  Here is some more information:

1)  Yes, had already tried gpudate /force to no avail
2)  Several reboots (because you never know when a fourth reboot will fix something lol)
3)  Authenticated users have read/apply permisssions in all areas

I have double-checked the Sysvol permissions, and you are correct in that the Everyone group is not there, but Auth Users is.  Just as an aside, computer objects which have been authenticated in a domain environment are considered part of the Authenticated Users group.

Any other changes made to the policy update properly.  It's just the proxy settings that are not getting updated.
LVL 35

Expert Comment

by:Joseph Daly
ID: 22836812
Very big longshot here but there isnt another policy somewhere that might be assigning proxy server info is there. Possibly your default domain profile.

Author Comment

ID: 22836838
Good question, but the answer is no.  There are other GPs being applied, but I have ensured that there are no contradictory settings in the other GPs.  As a secondary verification, I have run the GP Results Query tool to confirm that the computer *should* have the new setting.  For some reason, the new exclusion setting is only picked up after an administrative logon/logoff.
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 250 total points
ID: 22836851
Ok so how about this just for a test. Remove the proxy settings from the GPO and create their own new GPO with only proxy settings and see if those apply. This is a tricky one here.

Author Comment

ID: 22897945
Okay, so I ran out of time and I used RDP to connect with an administrative login to every workstation in our organization.  What a pain.

So, none of the suggestions offered up actually addressed what I saw as a problem, BUT some of you did suggest some work arounds that I think would work in a pinch.  I'll assign split points in what I hope is a fair manner.

Here's why I think it doesn't work:

1)  In GP, we have the "make settings per machine" enabled.
2)  When a regular user connects, they don't get the updated settings because they do not have enough security clearance to update a "per machine" setting (which should theoretically require admin privileges).
3)  Connecting to the machine as an admin will update the central proxy settings... thus allowing all users to receive the newly updated settings.

The more I think about it, the more I think it's probably working as intended, but I can't help this feeling that there must be a better way to push these settings out.  I know that XXDCmast's suggestion of creating a new GPO (downstream) with the updated settings would work, but it still feels like a jury rig.

thanks everyone for their help.

Expert Comment

ID: 24871402
This bulletin may clarify the behaviour going on with this issue.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Parsing an RSS Feed 4 17
exchange 2013 search-mailbox question 7 44
lock down downloads folder 8 56
Not allowed to load local recource. 4 16
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question