Group Policy does not work as expected when setting up proxy

Posted on 2009-07-03
Last Modified: 2013-11-25
I have an OU that contains only computer objects which are all Citrix servers. It is necessary to setup all of these servers so that they each meet the following single criteria with regards to proxy settings:

1) All of the servers have a permanent proxy setting that users cannot change (except admins)
Sounds pretty simple, but I am running into a few roadblocks.

I thought that I could simply create a group policy for these servers in the OU where they reside and set the proxy setting as a "machine" based policy rather than per user, then, as a test, I logged into one of the citrix servers after refreshing the policy as an administrator and I set the proxy settings. I logged out, logged in as a normal user and I did not have the settings and I was freely able to change, disable or enable the settings. Ok, plan A did not appear to work. I figured there was no point setting the USER group policy in the OU since there are no users that reside within the Citrix OU, they are instead outside in other various OU's within the same domain, but I tried it anyways, setting the proxy server in the USER config, again, this did not seem to work.

To top this off, I am slightly confused why the Computer config in the GP that I created does not have a section to actually enter the proxy settings. I know that I could probably create a custom ADM file to do this, and in fact this might be the way to go, or maybe it's overkill and there is a simple fix that I am overlooking. Or maybe.....just maybe, group policy is not the way to go?
Looking for a light at the end of the tunnel,

Question by:Lab_Tech
  • 2
  • 2
LVL 70

Expert Comment

by:Chris Dent
ID: 24776450


Fortunately there is some light back there :)

You need to enable Group Policy Loopback Processing. Doing so allows you to apply user policy to everyone who logs onto a specific machine.

To do that...

1. Open the group policy you created for the proxy settings
2. Expand Computer Configuration / Administrative Templates / System / Group Policy
3. Open the "User Group Policy loopback processing mode" policy.
4. Set Merge or Replace depending on what you want to happen to policies that would normally apply to the user

LVL 27

Expert Comment

ID: 24776978
As well as loopback processing, there is a computer config setting which makes the proxy settings per-machine as opposed to per-user.
It depends really whether you want to make ALL group policy settings per machine (loopback), or just the proxy settings. The setting to just make the proxy settings per machine is:
Computer Configuration | Administrative Settings | Windows Components | Internet Explorer | Make proxy settings per machine (rather than per user)
Description of this policy from the console:
"Applies proxy settings to all users of the same computer.
If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer.
If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings.
This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
I would personally say that you may want to look into using loopback for a Citrix server to lockdown all user settings, but in the meantime you can be more granular with this policy.

Author Comment

ID: 24784736
Hi BluntTony;
As mentioned in my original post, i had already enabled the "Make proxy settings per machine".
I tried the loopback processing and there appears to be no effect in the way it works with the citrix servers.

Now, my understanding is that I have to set the actual proxy settings in the "USER" part of the policy, this then gets applied at the COMPUTER level, or maybe I am missing something?

LVL 70

Expert Comment

by:Chris Dent
ID: 24784751

Correct, provided loopback processing is enabled and applies to the computer account. The "user" portion of the policy should also be applied to the computer account.

LVL 27

Accepted Solution

bluntTony earned 500 total points
ID: 24785253
Sorry, it wasn't clear to me from the question whether you had specifically used this policy or not.

Loopback processing works like this:

1. You create the GPO with loopback enabled, configure the USER settings in this GPO, and link it to the OU holding the computers.
2. On machine startup, the computer reads the computer config settings as normal.
3. Then (merge mode only) during login the user first reads their own policies linked to them elsewhere.
4. Then the user reads the user policies in the GPO linked to the computer account. In the case of merge mode, these settings overrule those in 3. in the event of a conflict. In 'Replace' mode, only these settings are read.

Therefore both the user and the computer need to have the rights to read and apply the policy linked to the computer. The default 'Authenticated Users' should cover this, but you would need to bear this in mind if you applied any other Security Filtering to this GPO.

With regards to the proxy GPO settings, you're right, why you can't just set the proxy info in the Computer Config section is beyond me as well (I may be missing something myself!). The policy I mentioned above makes the settings per machine, but doesn't actually set them. You would need to set them, maybe with a startup script or a custom ADM.

Have a read of this:

This article details the use of reg.exe to set the relevant HKLM values. Saved as a .bat and applied as a startup script, I think this may solve the problem.

However, like I said before, If you're looking at employing loopback to configure the complete user environment, you may want to just go down this route.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
"Disruption" is the most feared word for C-level executives these days. They agonize over their industry being disturbed by another player - most likely by startups.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now