Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Proxy Settings - Domain Policy

Posted on 2010-11-08
16
Medium Priority
?
2,609 Views
Last Modified: 2012-05-10
Hi all.  I see that I can enable proxy settings via Domain Policy.  I see that I can disable changing proxy settings via Domain Policy.  I do not see a way of unchecking proxy settings and then disabling the changing of them via Domain Policy.  In other words, if a client has the Proxy Settings box checked before I apply the policy that diables changing it, it will stay checked.  If I uncheck the setting for setting the proxy setting, that does not ensure the proxy setting will be unchecked even after the next reboot.  What am I missing and where can I find it in the Domain Policy?
0
Comment
Question by:ECENTER
  • 8
  • 6
  • 2
16 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 34087408
i don't know how many users you want this on but you might have to go around and disable the proxy settings manually and then apply the policy. i don't know if im understanding though, do you have a proxy server?
0
 

Expert Comment

by:faolchu
ID: 34092303
with GPOs deselecting something that was previously set does not revers the setting. it just doesn't enforce teh setting

so if for example you had a policy that applied a proxy setting and this policy isapplied to all users in yrou domain. then the proxy settings are set as per your policy.

if you then decide to disable the policy you had set when the policy is applied it does not reverse what was previously set. the policy may be disabled but the settings for all users remains as it was the last time the setting was updated by the policy, so in this case the Proxy settings would still be set.

 to reverse a setting that was previously set and revert a setting to its default  you need to create a new policy that is the reverse of the one that you want to remove.

0
 
LVL 1

Author Comment

by:ECENTER
ID: 34095458
So for example.  Before I apply a policy that disabled the setting of a Proxy in Internet Explorer, the user of a client checked those boxes, then I apply a setting disabling the changing, it won't uncheck the use proxy option?  To have to do that manually for each computer (not even knowing which ones they are until the user reports that they can't use the web browser) seems odd.  You'd figure there would be an option in the Domain Policy to make sure that those proxy settings were uncheked AND the option to check them was disabled.
Gridlock137 - Over 265 and we don't use a proxy server.

It just seems odd that I could set a domain policy to use a proxy(checking the box), but then couldn't undo that same policy thereby unchecking the box.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 7

Expert Comment

by:GridLock137
ID: 34096358
test it with one machine, use a machine that has the proxy box checked (you can use yours for test purpose) and apply the policy that disbales the proxy. go to the machine and do a start > run> gpupdate /force and check your internet settings and see if it's unchecked and disabled. now remember this will not work on other browsers, this is only meant for IE, you will have to uninstall all third party browsers.

i have done this before and unfortunately i had to do some walkups on some machines and manually uncheck the setting then apply the policy on the spot by running the above command.
0
 

Expert Comment

by:faolchu
ID: 34100010
easiest way I found was on day one set a policy to check the box, then manually do a GP update on all machines and verify that it has been set.  then create a policy to uncheck it and do an update again, this gets everyones proxy setting as unchecked no matter what it was. then set a policty to disable the proxy settings/disable user from changing. the last two could probably be done in one GOP.

the problem with GPS is that by simply disabling a policy it doesn't revert the setting to its default value (at least in 2003 it doesn't), it just doesn't apply anything so what ever state that setting is in it remains that way.  a lot of admins, myself included when we create GPOs we don't create a policy to reverse the changes made by the policy. probably out of laziness

best thing to do as GridLock137 said was create a policy for a test OU and play with it, once you're sure it will work apply that policy to everyone that needs it.
0
 
LVL 1

Author Comment

by:ECENTER
ID: 34104240
When you say create a policy that checks the box then create a policy to uncheck the box, what you're really saying is enable proxy settings and create a setting, then simply disable that same policy which should uncheck the box, then set a policy that says the proxy can't be set at all.  Correct?
0
 

Expert Comment

by:faolchu
ID: 34104804
No you create a policy with one set of settings and apply it. Then disable that policy. Then create a second policy that is the inverse of the first. Simply disabling a policy won't reverse the changes made by the policy. A gpo looks to see if a setting is applied on a pc if it is it does nothing, if its not it applies that setting. By disabling a gpo in ad all that happens is that setting is not checked at boot so what ever the previous setting was remains the same.

To over come this you need to reverse what was applied using a gpo. So you create a gpo to do the inverse of your first policy. So if policy 1 is set to configure the proxy as 10.10.1.1 you apply this policy and ensure all pcs get this. Then you disable policy one in gp editor and create policy 2 that disables the proxy ip so it is specifically set to not have an ip and them maybe have the ip setting unchecked and greyed out so the user can't change it. That way users don't use a proxy.

Taking it one step further if you have different users that need a proxy and some that don't then you create policies at the OU level and not domain level or one generic domain one as a catch all and one on an OU if needed.

 It's been a while so I'm gray on the actual settings I'll double check gpo tomorrow in the office and let you know what I think needs setting. But the sum is that to undo a gpo you must create a policy that reverses the settings, disabling a poilicy won't make any changes to the pc they stay as they are as if the original poilicy was applied
0
 
LVL 1

Author Comment

by:ECENTER
ID: 34104963
Not sure what the difference is between setting a polcity and then creating a policy to undo that policy and simply enabling Proxy Settings with no setting then undoing that.  Seems that having Proxy Server unchecked for the domain should uncheck the box for all domain workstations.  Anyway... I consider this a flaw in GP if it's not able to simply make sure that Proxy Settings checkbox is unchecked and that users can't modify that setting.
0
 

Expert Comment

by:faolchu
ID: 34106420
Your forgetting gpos make changed to the default setting on the pc. In general the default setting is no op set and no check box checked or grayed out. So once you create a policy it changes the state for that setting from it's default to become something new. If you then disable your policy when the pc boots it checks the gpos applied to it for each setting, if there are no new changes put in place by a gpo then the setting stays as is.

So the default is nothing set. You create and apply a policy that sets the ip address for each user. When the pc boots and the user logs on they have the proxy set to the setting in your policy. This configuration becomes the new default until a new poilicy comes along to change it. So deleting a gpo doesn't change what you previously set it just means that no new machines receive those changes.

Remember also that the default setting is n/a or nothing set in most gpos so even if you create a policy and remove it the defaukt domain policy doesn't undo those changes because the chances are the defaukt setting for the object is do nothing
0
 

Expert Comment

by:faolchu
ID: 34107224
Just reading something there it says by default a setting is "not enabled" so when you create a policy you enable that specific setting. To reverse the change you made with your policy you need to change the setting to "not configured" this will reverse what was set by your past policy.

To reverse a policy you need to know what the default is. And gp editor should tell you in the description of the policy.  

I'll have a look at the actual settings in the morning.

Just to clarify do you want to give the users a proxy ip and stop them from changing it or do you want it set that there is no ip and the users can't change it
0
 

Expert Comment

by:faolchu
ID: 34109635
I've attached some MS documentation  and also a screen shot of what the default proxy setting in GPO looks like


as you can see it says "by default a GP is not enabled...if you want to remove enabled settings you select Not Configured" the confusion I see here is that for Proxy settings there is no "enable" "disable" "not Configured" as there is for other settings.

What I'd do is create a GPO to apply a proxy of what ever your gateway address is to everone. so I'd go to User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings - select Enable Proxy Settings and put in an IP.

then do a gpupdate /force on all users and verify that they get the setting.

once that is done go back to the policy and select User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings and uncheck the enable option. then do another gpupdate /force this should bring everyone back to the same settings. i.e. no proxy details set.

now that you have everyone set up with no proxy IP and teh ability to add or remove prosy details as tehy wish you decide what you want. do you wnat an proxy of so you add teh details using  User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings then select enable and put in teh IP detail. do a GPupdate /force and everyone has a proxi and can change that proxy,

now if you want to restrict their ability to chaneg teh proxy you go to User Config - Admin Templates - Internet Explorer and  there's an option for Disable Changing Proxy Settings.

the default status for this is Not Configured. what that means is that the user has control over that setting and can enable or disable a proxy as they see fit and can add or change a proxy IP if they want if this policy is left in its default. So to restict a users ability to change proxy settings you also need to enable this option. by enabling it you restrict the users ability to make changes to proxy details.

if your setup currently restricts the user from being able to change proxy settings but you want to allow them to make changes then you simply select Disable, by disabling it you should removed the greyed out box from their internet settings.  

if you leave this as Not Configured then the setting stays in what ever state it is on the PC right now. So if one PC has a it set to disallow the user to change it will remain that way and if a second user for some reason has the ability to change then they will also retain the ability to change because you are not forcing a configuration chnage by not configuring it.
gpo.tif
gpo2.png
0
 
LVL 1

Author Comment

by:ECENTER
ID: 34170932
Seems this is more complicated that it shoudl be.  My understanding so far is that I would have to create a policy, apply it to all of the domain computers and then create a second policy to undo the first.  The real problem is that not all computers are on at the same time so the first policy wouldn't be applied to all machines to therefor apply the second policy.  I wish there were simply a way to make a change in the domain policy to have those boxes both unchecked AND unable to be modified. Why does that have to be so complicated?
0
 

Accepted Solution

by:
faolchu earned 375 total points
ID: 34171439
I’d like to say because it's Microsoft but it’s not. The real reason is that a policy is applied just before or during the logon process. So when a machine connects to the domain it checks what machine polices are for it and applies them. Then the login prompt comes on screen and the user can log in. when the user logs in it checks the polices for that user account and applies them.  Never checks the policies again until the policy refers interval, but in general it can’t actually apply them even if there are new ones because a user is logged in. so a reboot is often required. That’s why in some cases when you do a GPUPDATE /Force you do actually need to reboot because it’s a machine policy change.

In relation to why you have to reverse them. What it comes down to is this.
A policy checks the state of a setting and if different from what the policy says it should be then it sets the setting to how you configured it. So your machine checks its config to see what state that particular setting is. Lets for example you create a policy that makes everyone desktop background display your company logo. when the policy is being applied it checks that the setting for background image and compares the file path set in the policy to that set on the PC, if it’s the same if it is it moves on, if it isn’t then it changes that setting to reflect the fact that the background image should be the file at a particular file path. Now if you simply disable that policy on your domain the next boot the machine doesn't bother checking that setting because there is no policy set that says it must check it. so to go back you your problem, if you set a policy to not allow users to change the proxy IP and this gets applied to all PCs, if you then disable or delete this policy that change is not reflected on the user PCs automatically because there is no policy telling it to. Machines in essence are dumb; it would be great if the OS knew its default and was intelligent enough to know that if there is no policy in place telling me I must have a particular setting then I should change my setting to whatever the factory default is. The problem lies in the fact that not every machine is part of a domain that uses GPOs there are lots of small offices where the sys admin will manually go to each PC and make the setting changes on the local user/machine policy on that PC.  So what it comes down to is this:

if there is no Policy specifically saying a setting MUST be a certain way then the machine will just leave that setting in whatever state it is?

so best practice is that if you apply a policy and you want to remove that policy you need to do one to reverse it. By that I mean you need to create a policy that makes the setting whatever its default is. So to do that you first need to know what the default is. That’s where it gets real messy.

I'm getting confused myself here with what you want to actually do no. do you

A) Want to apply a proxy IP to all users and make it so they cannot change the IP address
B) Want to apply a proxy to all users and make it so they can change IPs if they want
C) Want no proxy and make it so users cannot add a proxy IP
d) Want no proxy and make it so that users can add a proxy IP

In relation to people being on different shits you could put each shift into a different OU

so shift 1 goes into OU1 and get policy 1, once your satisfied that all is well you apply po0licy 2
Shit 2 gets goes into OU2 and gets policy 1 and again you wait to see if all is well before applying policy 2 and so on.

at least that way you are hitting the people as they sign on, making that change and applying what you need to for that shift and then when the next shift comes in they are hit with the policy and so on. Remember that policies are independent to ous so you create the policy and link it to the ou, not just the domain
0
 
LVL 1

Author Comment

by:ECENTER
ID: 34175399
Thanks for the reply.  I want (in your choices above) to perform C) Want no proxy and make it so users cannot add a proxy IP.

If I have to apply a poilcy turning on a proxy well, that will affect users who are actually using their computers (we have no proxy server) and cannot wait for all computers to log onto the network to recieve the policy to then reverse that policy.  It simply makes no sense why there isn't an option in the domain policy to 1.  Make sure that using a proxy server is not checked.  and 2. Disabling the ability to change that setting.  Why does that have to be so complicated???
0
 

Expert Comment

by:faolchu
ID: 34176165

What I'd try then is set a policy that has proxy enabled but don't actually put in an ip. If I'm right it should clear the ip, set a second setting. In the sa€e policy that does not stop people from changing proxy setting. Then on a case by case basis for each user that then has an issue with accessing the web ie users that do have an ip manually remove the ip setting. A week later changes. This policy so that proxy ip is noyt enables and also locks the setting so users can not change it.

I can't think of an easier way or a way you can automatically switch over it will require some manual intervention
 
0
 
LVL 1

Author Closing Comment

by:ECENTER
ID: 34191380
This seems to be the best option although, it would still be a good idea if domain policy settings allowed to have the proxy option unchecked, blank, and set to not allow users to modify it.  Negative points for Microsoft.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question