• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1759
  • Last Modified:

Why does gpresult and the GPRW results differ? GPO not being applied properly?

I am trying to implement basic web filtering and have set up an http proxy for this purpose.

There are 8 GPOs being applied in total - the last two being the default domain policy (7) and the web access policy ( (where the proxy settings are kept).

Originally I was getting some proxy settings from somewhere that was overriding the settings from the WebAccess policy.

gpresult gave me this :

        Internet Explorer Connection
        ----------------------------
 
            HTTP Proxy Server:   190.0.0.234:8080
            Secure Proxy Server: 190.0.0.234:8080
            FTP Proxy Server:    190.0.0.234:8080
            Gopher Proxy Server: 190.0.0.234:8080
            Socks Proxy Server:  190.0.0.234:8080
            Auto Config Enable:  No
            Enable Proxy:        Yes
            Use same Proxy:      Yes
 
            HTTP Proxy Server:   190.0.0.1:3128
            Secure Proxy Server: 190.0.0.1:3228
            FTP Proxy Server:    190.0.0.1:3128
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

And the second set of data was the setting that was applied whilst the first set is the settings I wanted. gpresult doesn't say which policy 'won' with this setting for some reason.

Swapping the order of default and web access swaps the order of the proxy settings in the report generated by gpresult.

So .. I assumed that these settings would be found in the default gpo and I just needed to eliminate them there.

Except they're nowhere to be seen! Nothing is configured for the default policy under User Configuration -> Windows Settings -> IE Maintenance -> Connection -> Proxy settings

In fact - not a single one of my other GPOs has anything defined here.

Nevertheless, I went into the default domain policy and right clicked to select 'Reset Browser Settings' to ensure that everything was removed.

The result from gpresult /z  now gives

USER SETTINGS
--------------
    CN=******,OU=SBSUsers,OU=********,OU=*******,DC=*******,DC=local
    Last time Group Policy was applied: 20/04/2009 at 13:51:17
    Group Policy was applied from:      *********.local
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        WebAccess
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Small Business Server Windows Firewall
            Filtering:  Not Applied (Empty)

        Small Business Server Lockout Policy
            Filtering:  Disabled (GPO)

        Small Business Server Remote Assistance Policy
            Filtering:  Disabled (GPO)

        Small Business Server Client Computer
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Domain Password Policy
            Filtering:  Not Applied (Empty)

        Small Business Server Internet Connection Firewall
            Filtering:  Denied (WMI Filter)
            WMI Filter: PreSP2

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        SophosUser
        Offer Remote Assistance Helpers
        SophosAdministrator
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        VPN Access
        Domain Admins
        SBS Report Users
        Web Access Restricted
        Sophos Console Administrators
        SophosAdministrator
        Sophos DB Admins
        Sophos DB Users
        CERTSVC_DCOM_ACCESS
        Offer Remote Assistance Helpers
       
    Resultant Set Of Policies for User:
    ------------------------------------

        Software Installations
        ----------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: WebAccess
                Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
                State:   Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Default Domain Policy
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   N/A
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

            GPO: WebAccess
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   N/A
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      Yes

            HTTP Proxy Server:   190.0.0.209:8080
            Secure Proxy Server: 190.0.0.209:8080
            FTP Proxy Server:    190.0.0.209:8080
            Gopher Proxy Server: 190.0.0.209:8080
            Socks Proxy Server:  190.0.0.209:8080
            Auto Config Enable:  No
            Enable Proxy:        Yes
            Use same Proxy:      Yes

        Internet Explorer URLs
        ----------------------
            GPO: Default Domain Policy
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

            GPO: WebAccess
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: Default Domain Policy
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

            GPO: WebAccess
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: Default Domain Policy
                Import the current Program Settings: No

            GPO: WebAccess
                Import the current Program Settings: No


I don't know why default domain policy is even be listed here - but that may be my ignorance!

The results from the GPRW gives this for user [see image]

Which doesn't show _anything_ about the proxy settings.

Where can I go from here to try and track down why the WebAccess policy doesn't appear to be picked up via GPRW and default domain appears to be overwriting it if the processing order is changed even though it has no settings for this section.

Thanks in advance
GPRW.JPG
0
bboitano
Asked:
bboitano
  • 2
  • 2
2 Solutions
 
Netman66Commented:
You're running SBS, which means that properly added users and computers will be running a logon script specifically written in SBS.

There should be a file : install.ins - that may contain proxy information that is applying from the default execution of the SBS script.  You can change it there or simply empty the values.

Let us know.
0
 
bboitanoAuthor Commented:
Netman66

Thank you for replying.

The login script that runs here looks like this :

@echo off

REM ********** BEGIN SCRIPT **********



ECHO.
ECHO ****************************************
ECHO * Running login script, please wait... *
ECHO ****************************************
ECHO.
ECHO **************************
ECHO * Creating Drive Letters *
ECHO **************************
ECHO.
if exist s: net use s: /del
if not exist s: net use s: \\companyname-sbs1\companyname

rem remove proxy settings
rem regedit /s s:\setproxy.reg

rem remove old webfilter shortcut from start menu
rem if exist "%appdata%\..\Start Menu\Programs\Startup\Shortcut to GKAccess.lnk" del "%appdata%\..\Start Menu\Programs\Startup\Shortcut to GKAccess.lnk"

ECHO.
ECHO *****************************
ECHO * Creating Network Printers *
ECHO *****************************
ECHO.
ECHO (Creating New Printers)
%LOGONSERVER%\netlogon\ifmember "companyname\companyname_Printers"
if errorlevel==1 goto instcompanyname

:instcompanyname
%LOGONSERVER%\netlogon\con2prt /c "\\companyname-sbs1\HP LaserJet 4050 Tray1"
%LOGONSERVER%\netlogon\con2prt /c "\\companyname-sbs1\HP LaserJet 4050 Tray2"
%LOGONSERVER%\netlogon\con2prt /c "\\companyname-sbs1\HP LaserJet 4050 Tray3"
%LOGONSERVER%\netlogon\con2prt /c "\\companyname-sbs1\Kyocera FS-C5016N"
%LOGONSERVER%\netlogon\con2prt /c "\\companyname-sbs1\Konica Main Floor PCL6"
%LOGONSERVER%\netlogon\con2prt /c "\\companyname-sbs1\CanoniR2800"
%LOGONSERVER%\netlogon\con2prt /c "\\companyname-sbs1\CanoniR2200"
goto endprinters

ECHO.
ECHO *****************************
ECHO * companyname SBS Client Setup *
ECHO *****************************
ECHO.

\\companyname-SBS1\Clients\Setup\setup.exe /s companyname-SBS1

:endprinters

:endnt
REM ********** END SCRIPT **********

I searched for the install.ins but found multiple copies on the server and I am unsure how to tell which one would be the correct one to paste here. How would I determine that?

Thanks again
0
 
Netman66Commented:
I believe it should be in this path somewhere:

\\companyname-SBS1\Clients\Setup

It would have to be in a share that is accessible to the client during logon.  You could also check the Netlogon share.

Regardless of where you find copies, you should check them all to see if any of them have Proxy information configured.

0
 
bboitanoAuthor Commented:
Below is the install.ins ... indeed it does contain some proxy information. Well, at least it contains a proxy subsection.

I'm not sure if this is the one that is applied however - since none of the other settings are applied (homepage etc). Is there a way to check?

Thank you for your help so far.

[Branding]
Type=2
Wizard_Version=6.00.2800.1106
Language Locale=EN
Language ID=1033
Platform=2
 
[URL]
Home_Page=http://companyweb
Quick_Link_1_Name=Microsoft bCentral.url
Quick_Link_1=http://www.bCentral.com
Quick_Link_2_Name=My company's internal Web site.url
Quick_Link_2=http://companyweb
Quick_Link_3_Name=Remote E-mail Access.url
Quick_Link_3=http://companyname-SBS1/exchange
FirstHomePage=http://companyweb
AutoConfigJSURL=http://companyweb
 
[Proxy]
HTTP_Proxy_Server=
FTP_Proxy_Server=
Gopher_Proxy_Server=
Secure_Proxy_Server=
Socks_Proxy_Server=
Use_Same_Proxy=0
Proxy_Enable=0
Proxy_Override=
AutoDetect=0
 
[FavoritesEx]
Title1=My company's internal Web site.url
URL1=http://companyweb
Title2=Information and Answers.url
URL2=http://companyname-SBS1/clienthelp
Title3=Remote Server Management.url
URL3=http://companyname-SBS1/tsweb/Default.htm?AutoConnect=1
Title4=Microsoft Small Business Server Website.url
URL4=http://www.microsoft.com/sbserver
Title5=Remote E-mail Access.url
URL5=http://companyname-SBS1/exchange

Open in new window

0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now