Proxy Settings - Domain Policy

i don't know how many users you want this on but you might have to go around and disable the proxy settings manually and then apply the policy. i don't know if im understanding though, do you have a proxy server?

with GPOs deselecting something that was previously set does not revers the setting. it just doesn't enforce teh setting

so if for example you had a policy that applied a proxy setting and this policy isapplied to all users in yrou domain. then the proxy settings are set as per your policy.

if you then decide to disable the policy you had set when the policy is applied it does not reverse what was previously set. the policy may be disabled but the settings for all users remains as it was the last time the setting was updated by the policy, so in this case the Proxy settings would still be set.

 to reverse a setting that was previously set and revert a setting to its default  you need to create a new policy that is the reverse of the one that you want to remove.

So for example.  Before I apply a policy that disabled the setting of a Proxy in Internet Explorer, the user of a client checked those boxes, then I apply a setting disabling the changing, it won't uncheck the use proxy option?  To have to do that manually for each computer (not even knowing which ones they are until the user reports that they can't use the web browser) seems odd.  You'd figure there would be an option in the Domain Policy to make sure that those proxy settings were uncheked AND the option to check them was disabled.
Gridlock137 - Over 265 and we don't use a proxy server.

It just seems odd that I could set a domain policy to use a proxy(checking the box), but then couldn't undo that same policy thereby unchecking the box.

test it with one machine, use a machine that has the proxy box checked (you can use yours for test purpose) and apply the policy that disbales the proxy. go to the machine and do a start > run> gpupdate /force and check your internet settings and see if it's unchecked and disabled. now remember this will not work on other browsers, this is only meant for IE, you will have to uninstall all third party browsers.

i have done this before and unfortunately i had to do some walkups on some machines and manually uncheck the setting then apply the policy on the spot by running the above command.

easiest way I found was on day one set a policy to check the box, then manually do a GP update on all machines and verify that it has been set.  then create a policy to uncheck it and do an update again, this gets everyones proxy setting as unchecked no matter what it was. then set a policty to disable the proxy settings/disable user from changing. the last two could probably be done in one GOP.

the problem with GPS is that by simply disabling a policy it doesn't revert the setting to its default value (at least in 2003 it doesn't), it just doesn't apply anything so what ever state that setting is in it remains that way.  a lot of admins, myself included when we create GPOs we don't create a policy to reverse the changes made by the policy. probably out of laziness

best thing to do as GridLock137 said was create a policy for a test OU and play with it, once you're sure it will work apply that policy to everyone that needs it.

When you say create a policy that checks the box then create a policy to uncheck the box, what you're really saying is enable proxy settings and create a setting, then simply disable that same policy which should uncheck the box, then set a policy that says the proxy can't be set at all.  Correct?

No you create a policy with one set of settings and apply it. Then disable that policy. Then create a second policy that is the inverse of the first. Simply disabling a policy won't reverse the changes made by the policy. A gpo looks to see if a setting is applied on a pc if it is it does nothing, if its not it applies that setting. By disabling a gpo in ad all that happens is that setting is not checked at boot so what ever the previous setting was remains the same.

To over come this you need to reverse what was applied using a gpo. So you create a gpo to do the inverse of your first policy. So if policy 1 is set to configure the proxy as 10.10.1.1 you apply this policy and ensure all pcs get this. Then you disable policy one in gp editor and create policy 2 that disables the proxy ip so it is specifically set to not have an ip and them maybe have the ip setting unchecked and greyed out so the user can't change it. That way users don't use a proxy.

Taking it one step further if you have different users that need a proxy and some that don't then you create policies at the OU level and not domain level or one generic domain one as a catch all and one on an OU if needed.

 It's been a while so I'm gray on the actual settings I'll double check gpo tomorrow in the office and let you know what I think needs setting. But the sum is that to undo a gpo you must create a policy that reverses the settings, disabling a poilicy won't make any changes to the pc they stay as they are as if the original poilicy was applied

Not sure what the difference is between setting a polcity and then creating a policy to undo that policy and simply enabling Proxy Settings with no setting then undoing that.  Seems that having Proxy Server unchecked for the domain should uncheck the box for all domain workstations.  Anyway... I consider this a flaw in GP if it's not able to simply make sure that Proxy Settings checkbox is unchecked and that users can't modify that setting.

Your forgetting gpos make changed to the default setting on the pc. In general the default setting is no op set and no check box checked or grayed out. So once you create a policy it changes the state for that setting from it's default to become something new. If you then disable your policy when the pc boots it checks the gpos applied to it for each setting, if there are no new changes put in place by a gpo then the setting stays as is.

So the default is nothing set. You create and apply a policy that sets the ip address for each user. When the pc boots and the user logs on they have the proxy set to the setting in your policy. This configuration becomes the new default until a new poilicy comes along to change it. So deleting a gpo doesn't change what you previously set it just means that no new machines receive those changes.

Remember also that the default setting is n/a or nothing set in most gpos so even if you create a policy and remove it the defaukt domain policy doesn't undo those changes because the chances are the defaukt setting for the object is do nothing

Just reading something there it says by default a setting is "not enabled" so when you create a policy you enable that specific setting. To reverse the change you made with your policy you need to change the setting to "not configured" this will reverse what was set by your past policy.

To reverse a policy you need to know what the default is. And gp editor should tell you in the description of the policy.  

I'll have a look at the actual settings in the morning.

Just to clarify do you want to give the users a proxy ip and stop them from changing it or do you want it set that there is no ip and the users can't change it

I've attached some MS documentation  and also a screen shot of what the default proxy setting in GPO looks like


as you can see it says "by default a GP is not enabled...if you want to remove enabled settings you select Not Configured" the confusion I see here is that for Proxy settings there is no "enable" "disable" "not Configured" as there is for other settings.

What I'd do is create a GPO to apply a proxy of what ever your gateway address is to everone. so I'd go to User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings - select Enable Proxy Settings and put in an IP.

then do a gpupdate /force on all users and verify that they get the setting.

once that is done go back to the policy and select User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings and uncheck the enable option. then do another gpupdate /force this should bring everyone back to the same settings. i.e. no proxy details set.

now that you have everyone set up with no proxy IP and teh ability to add or remove prosy details as tehy wish you decide what you want. do you wnat an proxy of so you add teh details using  User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings then select enable and put in teh IP detail. do a GPupdate /force and everyone has a proxi and can change that proxy,

now if you want to restrict their ability to chaneg teh proxy you go to User Config - Admin Templates - Internet Explorer and  there's an option for Disable Changing Proxy Settings.

the default status for this is Not Configured. what that means is that the user has control over that setting and can enable or disable a proxy as they see fit and can add or change a proxy IP if they want if this policy is left in its default. So to restict a users ability to change proxy settings you also need to enable this option. by enabling it you restrict the users ability to make changes to proxy details.

if your setup currently restricts the user from being able to change proxy settings but you want to allow them to make changes then you simply select Disable, by disabling it you should removed the greyed out box from their internet settings.  

if you leave this as Not Configured then the setting stays in what ever state it is on the PC right now. So if one PC has a it set to disallow the user to change it will remain that way and if a second user for some reason has the ability to change then they will also retain the ability to change because you are not forcing a configuration chnage by not configuring it.
gpo.tif
gpo2.png

Seems this is more complicated that it shoudl be.  My understanding so far is that I would have to create a policy, apply it to all of the domain computers and then create a second policy to undo the first.  The real problem is that not all computers are on at the same time so the first policy wouldn't be applied to all machines to therefor apply the second policy.  I wish there were simply a way to make a change in the domain policy to have those boxes both unchecked AND unable to be modified. Why does that have to be so complicated?

Thanks for the reply.  I want (in your choices above) to perform C) Want no proxy and make it so users cannot add a proxy IP.

If I have to apply a poilcy turning on a proxy well, that will affect users who are actually using their computers (we have no proxy server) and cannot wait for all computers to log onto the network to recieve the policy to then reverse that policy.  It simply makes no sense why there isn't an option in the domain policy to 1.  Make sure that using a proxy server is not checked.  and 2. Disabling the ability to change that setting.  Why does that have to be so complicated???

What I'd try then is set a policy that has proxy enabled but don't actually put in an ip. If I'm right it should clear the ip, set a second setting. In the sa€e policy that does not stop people from changing proxy setting. Then on a case by case basis for each user that then has an issue with accessing the web ie users that do have an ip manually remove the ip setting. A week later changes. This policy so that proxy ip is noyt enables and also locks the setting so users can not change it.

I can't think of an easier way or a way you can automatically switch over it will require some manual intervention
 

This seems to be the best option although, it would still be a good idea if domain policy settings allowed to have the proxy option unchecked, blank, and set to not allow users to modify it.  Negative points for Microsoft.