Solved

Group Policy does not work as expected when setting up proxy

Posted on 2009-07-03
5
1,424 Views
Last Modified: 2013-11-25
I have an OU that contains only computer objects which are all Citrix servers. It is necessary to setup all of these servers so that they each meet the following single criteria with regards to proxy settings:

1) All of the servers have a permanent proxy setting that users cannot change (except admins)
 
Sounds pretty simple, but I am running into a few roadblocks.

I thought that I could simply create a group policy for these servers in the OU where they reside and set the proxy setting as a "machine" based policy rather than per user, then, as a test, I logged into one of the citrix servers after refreshing the policy as an administrator and I set the proxy settings. I logged out, logged in as a normal user and I did not have the settings and I was freely able to change, disable or enable the settings. Ok, plan A did not appear to work. I figured there was no point setting the USER group policy in the OU since there are no users that reside within the Citrix OU, they are instead outside in other various OU's within the same domain, but I tried it anyways, setting the proxy server in the USER config, again, this did not seem to work.

To top this off, I am slightly confused why the Computer config in the GP that I created does not have a section to actually enter the proxy settings. I know that I could probably create a custom ADM file to do this, and in fact this might be the way to go, or maybe it's overkill and there is a simple fix that I am overlooking. Or maybe.....just maybe, group policy is not the way to go?
Looking for a light at the end of the tunnel,

Lab_tech
0
Comment
Question by:Lab_Tech
  • 2
  • 2
5 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24776450

Hey,

Fortunately there is some light back there :)

You need to enable Group Policy Loopback Processing. Doing so allows you to apply user policy to everyone who logs onto a specific machine.

To do that...

1. Open the group policy you created for the proxy settings
2. Expand Computer Configuration / Administrative Templates / System / Group Policy
3. Open the "User Group Policy loopback processing mode" policy.
4. Set Merge or Replace depending on what you want to happen to policies that would normally apply to the user

Chris
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24776978
As well as loopback processing, there is a computer config setting which makes the proxy settings per-machine as opposed to per-user.
It depends really whether you want to make ALL group policy settings per machine (loopback), or just the proxy settings. The setting to just make the proxy settings per machine is:
Computer Configuration | Administrative Settings | Windows Components | Internet Explorer | Make proxy settings per machine (rather than per user)
Description of this policy from the console:
"Applies proxy settings to all users of the same computer.
If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer.
If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings.
This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
"
I would personally say that you may want to look into using loopback for a Citrix server to lockdown all user settings, but in the meantime you can be more granular with this policy.
0
 

Author Comment

by:Lab_Tech
ID: 24784736
Hi BluntTony;
As mentioned in my original post, i had already enabled the "Make proxy settings per machine".
I tried the loopback processing and there appears to be no effect in the way it works with the citrix servers.

Now, my understanding is that I have to set the actual proxy settings in the "USER" part of the policy, this then gets applied at the COMPUTER level, or maybe I am missing something?

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24784751

Correct, provided loopback processing is enabled and applies to the computer account. The "user" portion of the policy should also be applied to the computer account.

Chris
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24785253
Sorry, it wasn't clear to me from the question whether you had specifically used this policy or not.

Loopback processing works like this:

1. You create the GPO with loopback enabled, configure the USER settings in this GPO, and link it to the OU holding the computers.
2. On machine startup, the computer reads the computer config settings as normal.
3. Then (merge mode only) during login the user first reads their own policies linked to them elsewhere.
4. Then the user reads the user policies in the GPO linked to the computer account. In the case of merge mode, these settings overrule those in 3. in the event of a conflict. In 'Replace' mode, only these settings are read.

Therefore both the user and the computer need to have the rights to read and apply the policy linked to the computer. The default 'Authenticated Users' should cover this, but you would need to bear this in mind if you applied any other Security Filtering to this GPO.

With regards to the proxy GPO settings, you're right, why you can't just set the proxy info in the Computer Config section is beyond me as well (I may be missing something myself!). The policy I mentioned above makes the settings per machine, but doesn't actually set them. You would need to set them, maybe with a startup script or a custom ADM.

Have a read of this: http://windowsitpro.com/article/articleid/85089/jsi-tip-10097-how-do-i-override-the-users-proxy-entries-on-a-specific-computer.html

This article details the use of reg.exe to set the relevant HKLM values. Saved as a .bat and applied as a startup script, I think this may solve the problem.

However, like I said before, If you're looking at employing loopback to configure the complete user environment, you may want to just go down this route.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now