Group Policy does not work as expected when setting up proxy

I have an OU that contains only computer objects which are all Citrix servers. It is necessary to setup all of these servers so that they each meet the following single criteria with regards to proxy settings:

1) All of the servers have a permanent proxy setting that users cannot change (except admins)
Sounds pretty simple, but I am running into a few roadblocks.

I thought that I could simply create a group policy for these servers in the OU where they reside and set the proxy setting as a "machine" based policy rather than per user, then, as a test, I logged into one of the citrix servers after refreshing the policy as an administrator and I set the proxy settings. I logged out, logged in as a normal user and I did not have the settings and I was freely able to change, disable or enable the settings. Ok, plan A did not appear to work. I figured there was no point setting the USER group policy in the OU since there are no users that reside within the Citrix OU, they are instead outside in other various OU's within the same domain, but I tried it anyways, setting the proxy server in the USER config, again, this did not seem to work.

To top this off, I am slightly confused why the Computer config in the GP that I created does not have a section to actually enter the proxy settings. I know that I could probably create a custom ADM file to do this, and in fact this might be the way to go, or maybe it's overkill and there is a simple fix that I am overlooking. Or maybe.....just maybe, group policy is not the way to go?
Looking for a light at the end of the tunnel,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:


Fortunately there is some light back there :)

You need to enable Group Policy Loopback Processing. Doing so allows you to apply user policy to everyone who logs onto a specific machine.

To do that...

1. Open the group policy you created for the proxy settings
2. Expand Computer Configuration / Administrative Templates / System / Group Policy
3. Open the "User Group Policy loopback processing mode" policy.
4. Set Merge or Replace depending on what you want to happen to policies that would normally apply to the user

bluntTonyHead of ICTCommented:
As well as loopback processing, there is a computer config setting which makes the proxy settings per-machine as opposed to per-user.
It depends really whether you want to make ALL group policy settings per machine (loopback), or just the proxy settings. The setting to just make the proxy settings per machine is:
Computer Configuration | Administrative Settings | Windows Components | Internet Explorer | Make proxy settings per machine (rather than per user)
Description of this policy from the console:
"Applies proxy settings to all users of the same computer.
If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer.
If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings.
This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
I would personally say that you may want to look into using loopback for a Citrix server to lockdown all user settings, but in the meantime you can be more granular with this policy.
Lab_TechAuthor Commented:
Hi BluntTony;
As mentioned in my original post, i had already enabled the "Make proxy settings per machine".
I tried the loopback processing and there appears to be no effect in the way it works with the citrix servers.

Now, my understanding is that I have to set the actual proxy settings in the "USER" part of the policy, this then gets applied at the COMPUTER level, or maybe I am missing something?

Chris DentPowerShell DeveloperCommented:

Correct, provided loopback processing is enabled and applies to the computer account. The "user" portion of the policy should also be applied to the computer account.

bluntTonyHead of ICTCommented:
Sorry, it wasn't clear to me from the question whether you had specifically used this policy or not.

Loopback processing works like this:

1. You create the GPO with loopback enabled, configure the USER settings in this GPO, and link it to the OU holding the computers.
2. On machine startup, the computer reads the computer config settings as normal.
3. Then (merge mode only) during login the user first reads their own policies linked to them elsewhere.
4. Then the user reads the user policies in the GPO linked to the computer account. In the case of merge mode, these settings overrule those in 3. in the event of a conflict. In 'Replace' mode, only these settings are read.

Therefore both the user and the computer need to have the rights to read and apply the policy linked to the computer. The default 'Authenticated Users' should cover this, but you would need to bear this in mind if you applied any other Security Filtering to this GPO.

With regards to the proxy GPO settings, you're right, why you can't just set the proxy info in the Computer Config section is beyond me as well (I may be missing something myself!). The policy I mentioned above makes the settings per machine, but doesn't actually set them. You would need to set them, maybe with a startup script or a custom ADM.

Have a read of this:

This article details the use of reg.exe to set the relevant HKLM values. Saved as a .bat and applied as a startup script, I think this may solve the problem.

However, like I said before, If you're looking at employing loopback to configure the complete user environment, you may want to just go down this route.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Project Management

From novice to tech pro — start learning today.