Group Policy and RSoP shows policy being applied but does not work

I am implementing a Windows 2003 R2 Terminal Server into an existing domain that already has 2 Terminal Servers with Windows 2003 (not R2).  I have a group policy called 'Block Internet' that has worked (and still does) on the 2 pre-existing Terminal Servers, but it doesn't work on the new Terminal Server even though running RSoP for the account that has the policy applied shows that it has been applied.  The purpose of the policy is to block all internet sites except for our corporate extranet (and all links within it) and our intranet.
RSoP-TA3.JPG
z1ldj3nAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
Are you saying that your GPO doesn't set the proxy server settings on the R2 TS server?
0
DonNetwork AdministratorCommented:
0
DonNetwork AdministratorCommented:
setting the following may help
 
Computer Configuration\Administrative Templates\System\Group Policy\IE Maintenance Policy Processing. Set to Enabled and "Process even if the Group Policy Objects have not changed".
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

z1ldj3nAuthor Commented:
Reply to DrUltima - That is correct...other GPO's are applied successfully, but not the 'Block Internet'.  One thing I just noticed is the other 2 Terminal Servers are running IE6...the new one is running IE8.

Reply to dstewartjr - I made the setting you requested but it doesn't seem to be applying the Computer Conguriation...I have verified the GPO Status is set to Enabled...I also ran gpupdate /force on the DC and new server.
0
Justin OwensITIL Problem ManagerCommented:
If you run a GPRESULT on the TS server which does not have the proxy set up, do you see the "Block Internet" as one of the applied policies?
0
z1ldj3nAuthor Commented:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/12/2010 at 11:55:14 AM



RSOP data for CHROM\johdoe on TS3 : Logging Mode
-------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration:            Member Server
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:            
Local Profile:               C:\Documents and Settings\johdoe
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=John Doe,OU=CDAL,DC=CHROM,DC=com
    Last time Group Policy was applied: 4/12/2010 at 11:54:05 AM
    Group Policy was applied from:      dc1.CHROM.COM
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CHROM
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Block Internet
        SS2Users2
        Default Domain Policy
        IE Logo

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        SS2 User2 Security
       
    The user has the following security privileges
    ----------------------------------------------


    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoBandCustomize
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
                Value:       128, 203, 164, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Size
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_History
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetworkConnections
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows\NetCache\NoConfigCache
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
                Value:       51, 0, 54, 0, 48, 0, 48, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Persistent
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Messenger\Client\PreventRun
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Stop
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Back
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
                Value:       49, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoResolveSearch
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Discussions
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Home
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Main\NoWebJITSetup
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SpecifyDefaultButtons
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Forward
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE
                Value:       108, 0, 111, 0, 103, 0, 111, 0, 110, 0, 46, 0, 115, 0, 99, 0, 114, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Tools
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Fullscreen
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Copy
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Favorites
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Refresh
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
                Value:       128, 203, 164, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Encoding
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_MailNews
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Cut
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Search
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Folders
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Edit
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Paste
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
                Value:       48, 0, 0, 0
                State:       Enabled

            GPO: Block Internet
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Btn_Print
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: SS2Users2
                KeyName:     Software\Policies\Microsoft\Messenger\Client\PreventAutoRun
                Value:       1, 0, 0, 0
                State:       Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Block Internet
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   N/A
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

            HTTP Proxy Server:   71.183.125.138:80
            Secure Proxy Server: 71.183.125.138:80
            FTP Proxy Server:    71.183.125.138:80
            Gopher Proxy Server: 71.183.125.138:80
            Socks Proxy Server:  71.183.125.138:80
            Auto Config Enable:  No
            Enable Proxy:        Yes
            Use same Proxy:      Yes

            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

        Internet Explorer URLs
        ----------------------
            GPO: Block Internet
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            Always Viewable Sites:     http://cdal
                                   http://insight.chromalloy.com
                                   
            Password Override Enabled: True

            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: Block Internet
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       Yes
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: Block Internet
                Import the current Program Settings: No
0
DonNetwork AdministratorCommented:
You could  try  "Reset Browser Settings" as mentioned here
 
http://support.microsoft.com/kb/325342/ 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DonNetwork AdministratorCommented:
Is your list of exceptions longer than 255 characters?
0
z1ldj3nAuthor Commented:
Yes...837 characters.
0
DonNetwork AdministratorCommented:
This will help with that limitation
 
http://support.microsoft.com/kb/302224/en-us 
0
DonNetwork AdministratorCommented:
Service pack 2 also took care of the limit : ^ )
0
z1ldj3nAuthor Commented:
Service Pack 2 is already installed.
0
DonNetwork AdministratorCommented:
Yeah didnt see that part until I already posted  comment. Did you try the "Reset Browser Settings" as I mentioned above?
0
z1ldj3nAuthor Commented:
Would I do that on the Domain Contoller or TS or both?
0
z1ldj3nAuthor Commented:
Nevermind...I think you meant in the 'Block Internet' GPO...right?
0
DonNetwork AdministratorCommented:
Yes 'Block Internet' GPO
0
z1ldj3nAuthor Commented:
OK...now we're getting close!  I applied the "Reset Browser Settings" in the 'Block Internet' GPO...then entered the proxy address only (I did not enter anything in the exceptions) and it worked!  Now I will try adding the exceptions and let you know if it works or not.
0
DonNetwork AdministratorCommented:
Cool beans ; ^ )
0
z1ldj3nAuthor Commented:
So far so good!  It allows access to the corporate extranet and the intranet only...but not for the exceptions list;  when I enter an address from the exceptions list it just shows the home page of the corporate extranet.
0
z1ldj3nAuthor Commented:
It doesn't affect the other 2 Terminal Servers...I can access sites from the exception list on them.
0
z1ldj3nAuthor Commented:
I can live with things the way they are now!!...at least they can't access any other sites, too.  You fixed the main issue.  Thank you!!!!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.