[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Group Policy does not work as expected when setting up proxy

Posted on 2009-07-03
Medium Priority
Last Modified: 2013-11-25
I have an OU that contains only computer objects which are all Citrix servers. It is necessary to setup all of these servers so that they each meet the following single criteria with regards to proxy settings:

1) All of the servers have a permanent proxy setting that users cannot change (except admins)
Sounds pretty simple, but I am running into a few roadblocks.

I thought that I could simply create a group policy for these servers in the OU where they reside and set the proxy setting as a "machine" based policy rather than per user, then, as a test, I logged into one of the citrix servers after refreshing the policy as an administrator and I set the proxy settings. I logged out, logged in as a normal user and I did not have the settings and I was freely able to change, disable or enable the settings. Ok, plan A did not appear to work. I figured there was no point setting the USER group policy in the OU since there are no users that reside within the Citrix OU, they are instead outside in other various OU's within the same domain, but I tried it anyways, setting the proxy server in the USER config, again, this did not seem to work.

To top this off, I am slightly confused why the Computer config in the GP that I created does not have a section to actually enter the proxy settings. I know that I could probably create a custom ADM file to do this, and in fact this might be the way to go, or maybe it's overkill and there is a simple fix that I am overlooking. Or maybe.....just maybe, group policy is not the way to go?
Looking for a light at the end of the tunnel,

Question by:Lab_Tech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 71

Expert Comment

by:Chris Dent
ID: 24776450


Fortunately there is some light back there :)

You need to enable Group Policy Loopback Processing. Doing so allows you to apply user policy to everyone who logs onto a specific machine.

To do that...

1. Open the group policy you created for the proxy settings
2. Expand Computer Configuration / Administrative Templates / System / Group Policy
3. Open the "User Group Policy loopback processing mode" policy.
4. Set Merge or Replace depending on what you want to happen to policies that would normally apply to the user

LVL 27

Expert Comment

ID: 24776978
As well as loopback processing, there is a computer config setting which makes the proxy settings per-machine as opposed to per-user.
It depends really whether you want to make ALL group policy settings per machine (loopback), or just the proxy settings. The setting to just make the proxy settings per machine is:
Computer Configuration | Administrative Settings | Windows Components | Internet Explorer | Make proxy settings per machine (rather than per user)
Description of this policy from the console:
"Applies proxy settings to all users of the same computer.
If you enable this policy, users cannot set user-specific proxy settings. They must use the zones created for all users of the computer.
If you disable this policy or do not configure it, users of the same computer can establish their own proxy settings.
This policy is intended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
I would personally say that you may want to look into using loopback for a Citrix server to lockdown all user settings, but in the meantime you can be more granular with this policy.

Author Comment

ID: 24784736
Hi BluntTony;
As mentioned in my original post, i had already enabled the "Make proxy settings per machine".
I tried the loopback processing and there appears to be no effect in the way it works with the citrix servers.

Now, my understanding is that I have to set the actual proxy settings in the "USER" part of the policy, this then gets applied at the COMPUTER level, or maybe I am missing something?

LVL 71

Expert Comment

by:Chris Dent
ID: 24784751

Correct, provided loopback processing is enabled and applies to the computer account. The "user" portion of the policy should also be applied to the computer account.

LVL 27

Accepted Solution

bluntTony earned 2000 total points
ID: 24785253
Sorry, it wasn't clear to me from the question whether you had specifically used this policy or not.

Loopback processing works like this:

1. You create the GPO with loopback enabled, configure the USER settings in this GPO, and link it to the OU holding the computers.
2. On machine startup, the computer reads the computer config settings as normal.
3. Then (merge mode only) during login the user first reads their own policies linked to them elsewhere.
4. Then the user reads the user policies in the GPO linked to the computer account. In the case of merge mode, these settings overrule those in 3. in the event of a conflict. In 'Replace' mode, only these settings are read.

Therefore both the user and the computer need to have the rights to read and apply the policy linked to the computer. The default 'Authenticated Users' should cover this, but you would need to bear this in mind if you applied any other Security Filtering to this GPO.

With regards to the proxy GPO settings, you're right, why you can't just set the proxy info in the Computer Config section is beyond me as well (I may be missing something myself!). The policy I mentioned above makes the settings per machine, but doesn't actually set them. You would need to set them, maybe with a startup script or a custom ADM.

Have a read of this: http://windowsitpro.com/article/articleid/85089/jsi-tip-10097-how-do-i-override-the-users-proxy-entries-on-a-specific-computer.html

This article details the use of reg.exe to set the relevant HKLM values. Saved as a .bat and applied as a startup script, I think this may solve the problem.

However, like I said before, If you're looking at employing loopback to configure the complete user environment, you may want to just go down this route.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Introduction to Processes
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question