We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Group Policy does not work as expected when setting up proxy

Medium Priority
1,470 Views
Last Modified: 2013-11-25
I have an OU that contains only computer objects which are all Citrix servers. It is necessary to setup all of these servers so that they each meet the following single criteria with regards to proxy settings:

1) All of the servers have a permanent proxy setting that users cannot change (except admins)
 
Sounds pretty simple, but I am running into a few roadblocks.

I thought that I could simply create a group policy for these servers in the OU where they reside and set the proxy setting as a "machine" based policy rather than per user, then, as a test, I logged into one of the citrix servers after refreshing the policy as an administrator and I set the proxy settings. I logged out, logged in as a normal user and I did not have the settings and I was freely able to change, disable or enable the settings. Ok, plan A did not appear to work. I figured there was no point setting the USER group policy in the OU since there are no users that reside within the Citrix OU, they are instead outside in other various OU's within the same domain, but I tried it anyways, setting the proxy server in the USER config, again, this did not seem to work.

To top this off, I am slightly confused why the Computer config in the GP that I created does not have a section to actually enter the proxy settings. I know that I could probably create a custom ADM file to do this, and in fact this might be the way to go, or maybe it's overkill and there is a simple fix that I am overlooking. Or maybe.....just maybe, group policy is not the way to go?
Looking for a light at the end of the tunnel,

Lab_tech
Comment
Watch Question

Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Hey,

Fortunately there is some light back there :)

You need to enable Group Policy Loopback Processing. Doing so allows you to apply user policy to everyone who logs onto a specific machine.

To do that...

1. Open the group policy you created for the proxy settings
2. Expand Computer Configuration / Administrative Templates / System / Group Policy
3. Open the "User Group Policy loopback processing mode" policy.
4. Set Merge or Replace depending on what you want to happen to policies that would normally apply to the user

Chris
bluntTonyHead of ICT
Top Expert 2009

Commented:
As well as loopback processing, there is a computer config setting which makes the proxy settings per-machine as opposed to per-user.
It depends really whether you want to make ALL group policy settings per machine (loopback), or just the proxy settings. The setting to just make the proxy settings per machine is:
Computer Configuration | Administrative Settings | Windows Components | Internet Explorer | Make proxy settings per machine (rather than per user)
Description of this policy from the console:
"Applies proxy settings to all users of the same computer.
If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer.
If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings.
This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
"
I would personally say that you may want to look into using loopback for a Citrix server to lockdown all user settings, but in the meantime you can be more granular with this policy.

Author

Commented:
Hi BluntTony;
As mentioned in my original post, i had already enabled the "Make proxy settings per machine".
I tried the loopback processing and there appears to be no effect in the way it works with the citrix servers.

Now, my understanding is that I have to set the actual proxy settings in the "USER" part of the policy, this then gets applied at the COMPUTER level, or maybe I am missing something?

Chris DentPowerShell Developer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Correct, provided loopback processing is enabled and applies to the computer account. The "user" portion of the policy should also be applied to the computer account.

Chris
Head of ICT
Top Expert 2009
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.