Solved

Proxy Settings - Domain Policy

Posted on 2010-11-08
16
2,587 Views
Last Modified: 2012-05-10
Hi all.  I see that I can enable proxy settings via Domain Policy.  I see that I can disable changing proxy settings via Domain Policy.  I do not see a way of unchecking proxy settings and then disabling the changing of them via Domain Policy.  In other words, if a client has the Proxy Settings box checked before I apply the policy that diables changing it, it will stay checked.  If I uncheck the setting for setting the proxy setting, that does not ensure the proxy setting will be unchecked even after the next reboot.  What am I missing and where can I find it in the Domain Policy?
0
Comment
Question by:ECENTER
  • 8
  • 6
  • 2
16 Comments
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
i don't know how many users you want this on but you might have to go around and disable the proxy settings manually and then apply the policy. i don't know if im understanding though, do you have a proxy server?
0
 

Expert Comment

by:faolchu
Comment Utility
with GPOs deselecting something that was previously set does not revers the setting. it just doesn't enforce teh setting

so if for example you had a policy that applied a proxy setting and this policy isapplied to all users in yrou domain. then the proxy settings are set as per your policy.

if you then decide to disable the policy you had set when the policy is applied it does not reverse what was previously set. the policy may be disabled but the settings for all users remains as it was the last time the setting was updated by the policy, so in this case the Proxy settings would still be set.

 to reverse a setting that was previously set and revert a setting to its default  you need to create a new policy that is the reverse of the one that you want to remove.

0
 
LVL 1

Author Comment

by:ECENTER
Comment Utility
So for example.  Before I apply a policy that disabled the setting of a Proxy in Internet Explorer, the user of a client checked those boxes, then I apply a setting disabling the changing, it won't uncheck the use proxy option?  To have to do that manually for each computer (not even knowing which ones they are until the user reports that they can't use the web browser) seems odd.  You'd figure there would be an option in the Domain Policy to make sure that those proxy settings were uncheked AND the option to check them was disabled.
Gridlock137 - Over 265 and we don't use a proxy server.

It just seems odd that I could set a domain policy to use a proxy(checking the box), but then couldn't undo that same policy thereby unchecking the box.
0
 
LVL 7

Expert Comment

by:GridLock137
Comment Utility
test it with one machine, use a machine that has the proxy box checked (you can use yours for test purpose) and apply the policy that disbales the proxy. go to the machine and do a start > run> gpupdate /force and check your internet settings and see if it's unchecked and disabled. now remember this will not work on other browsers, this is only meant for IE, you will have to uninstall all third party browsers.

i have done this before and unfortunately i had to do some walkups on some machines and manually uncheck the setting then apply the policy on the spot by running the above command.
0
 

Expert Comment

by:faolchu
Comment Utility
easiest way I found was on day one set a policy to check the box, then manually do a GP update on all machines and verify that it has been set.  then create a policy to uncheck it and do an update again, this gets everyones proxy setting as unchecked no matter what it was. then set a policty to disable the proxy settings/disable user from changing. the last two could probably be done in one GOP.

the problem with GPS is that by simply disabling a policy it doesn't revert the setting to its default value (at least in 2003 it doesn't), it just doesn't apply anything so what ever state that setting is in it remains that way.  a lot of admins, myself included when we create GPOs we don't create a policy to reverse the changes made by the policy. probably out of laziness

best thing to do as GridLock137 said was create a policy for a test OU and play with it, once you're sure it will work apply that policy to everyone that needs it.
0
 
LVL 1

Author Comment

by:ECENTER
Comment Utility
When you say create a policy that checks the box then create a policy to uncheck the box, what you're really saying is enable proxy settings and create a setting, then simply disable that same policy which should uncheck the box, then set a policy that says the proxy can't be set at all.  Correct?
0
 

Expert Comment

by:faolchu
Comment Utility
No you create a policy with one set of settings and apply it. Then disable that policy. Then create a second policy that is the inverse of the first. Simply disabling a policy won't reverse the changes made by the policy. A gpo looks to see if a setting is applied on a pc if it is it does nothing, if its not it applies that setting. By disabling a gpo in ad all that happens is that setting is not checked at boot so what ever the previous setting was remains the same.

To over come this you need to reverse what was applied using a gpo. So you create a gpo to do the inverse of your first policy. So if policy 1 is set to configure the proxy as 10.10.1.1 you apply this policy and ensure all pcs get this. Then you disable policy one in gp editor and create policy 2 that disables the proxy ip so it is specifically set to not have an ip and them maybe have the ip setting unchecked and greyed out so the user can't change it. That way users don't use a proxy.

Taking it one step further if you have different users that need a proxy and some that don't then you create policies at the OU level and not domain level or one generic domain one as a catch all and one on an OU if needed.

 It's been a while so I'm gray on the actual settings I'll double check gpo tomorrow in the office and let you know what I think needs setting. But the sum is that to undo a gpo you must create a policy that reverses the settings, disabling a poilicy won't make any changes to the pc they stay as they are as if the original poilicy was applied
0
 
LVL 1

Author Comment

by:ECENTER
Comment Utility
Not sure what the difference is between setting a polcity and then creating a policy to undo that policy and simply enabling Proxy Settings with no setting then undoing that.  Seems that having Proxy Server unchecked for the domain should uncheck the box for all domain workstations.  Anyway... I consider this a flaw in GP if it's not able to simply make sure that Proxy Settings checkbox is unchecked and that users can't modify that setting.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:faolchu
Comment Utility
Your forgetting gpos make changed to the default setting on the pc. In general the default setting is no op set and no check box checked or grayed out. So once you create a policy it changes the state for that setting from it's default to become something new. If you then disable your policy when the pc boots it checks the gpos applied to it for each setting, if there are no new changes put in place by a gpo then the setting stays as is.

So the default is nothing set. You create and apply a policy that sets the ip address for each user. When the pc boots and the user logs on they have the proxy set to the setting in your policy. This configuration becomes the new default until a new poilicy comes along to change it. So deleting a gpo doesn't change what you previously set it just means that no new machines receive those changes.

Remember also that the default setting is n/a or nothing set in most gpos so even if you create a policy and remove it the defaukt domain policy doesn't undo those changes because the chances are the defaukt setting for the object is do nothing
0
 

Expert Comment

by:faolchu
Comment Utility
Just reading something there it says by default a setting is "not enabled" so when you create a policy you enable that specific setting. To reverse the change you made with your policy you need to change the setting to "not configured" this will reverse what was set by your past policy.

To reverse a policy you need to know what the default is. And gp editor should tell you in the description of the policy.  

I'll have a look at the actual settings in the morning.

Just to clarify do you want to give the users a proxy ip and stop them from changing it or do you want it set that there is no ip and the users can't change it
0
 

Expert Comment

by:faolchu
Comment Utility
I've attached some MS documentation  and also a screen shot of what the default proxy setting in GPO looks like


as you can see it says "by default a GP is not enabled...if you want to remove enabled settings you select Not Configured" the confusion I see here is that for Proxy settings there is no "enable" "disable" "not Configured" as there is for other settings.

What I'd do is create a GPO to apply a proxy of what ever your gateway address is to everone. so I'd go to User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings - select Enable Proxy Settings and put in an IP.

then do a gpupdate /force on all users and verify that they get the setting.

once that is done go back to the policy and select User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings and uncheck the enable option. then do another gpupdate /force this should bring everyone back to the same settings. i.e. no proxy details set.

now that you have everyone set up with no proxy IP and teh ability to add or remove prosy details as tehy wish you decide what you want. do you wnat an proxy of so you add teh details using  User config - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings then select enable and put in teh IP detail. do a GPupdate /force and everyone has a proxi and can change that proxy,

now if you want to restrict their ability to chaneg teh proxy you go to User Config - Admin Templates - Internet Explorer and  there's an option for Disable Changing Proxy Settings.

the default status for this is Not Configured. what that means is that the user has control over that setting and can enable or disable a proxy as they see fit and can add or change a proxy IP if they want if this policy is left in its default. So to restict a users ability to change proxy settings you also need to enable this option. by enabling it you restrict the users ability to make changes to proxy details.

if your setup currently restricts the user from being able to change proxy settings but you want to allow them to make changes then you simply select Disable, by disabling it you should removed the greyed out box from their internet settings.  

if you leave this as Not Configured then the setting stays in what ever state it is on the PC right now. So if one PC has a it set to disallow the user to change it will remain that way and if a second user for some reason has the ability to change then they will also retain the ability to change because you are not forcing a configuration chnage by not configuring it.
gpo.tif
gpo2.png
0
 
LVL 1

Author Comment

by:ECENTER
Comment Utility
Seems this is more complicated that it shoudl be.  My understanding so far is that I would have to create a policy, apply it to all of the domain computers and then create a second policy to undo the first.  The real problem is that not all computers are on at the same time so the first policy wouldn't be applied to all machines to therefor apply the second policy.  I wish there were simply a way to make a change in the domain policy to have those boxes both unchecked AND unable to be modified. Why does that have to be so complicated?
0
 

Accepted Solution

by:
faolchu earned 125 total points
Comment Utility
I’d like to say because it's Microsoft but it’s not. The real reason is that a policy is applied just before or during the logon process. So when a machine connects to the domain it checks what machine polices are for it and applies them. Then the login prompt comes on screen and the user can log in. when the user logs in it checks the polices for that user account and applies them.  Never checks the policies again until the policy refers interval, but in general it can’t actually apply them even if there are new ones because a user is logged in. so a reboot is often required. That’s why in some cases when you do a GPUPDATE /Force you do actually need to reboot because it’s a machine policy change.

In relation to why you have to reverse them. What it comes down to is this.
A policy checks the state of a setting and if different from what the policy says it should be then it sets the setting to how you configured it. So your machine checks its config to see what state that particular setting is. Lets for example you create a policy that makes everyone desktop background display your company logo. when the policy is being applied it checks that the setting for background image and compares the file path set in the policy to that set on the PC, if it’s the same if it is it moves on, if it isn’t then it changes that setting to reflect the fact that the background image should be the file at a particular file path. Now if you simply disable that policy on your domain the next boot the machine doesn't bother checking that setting because there is no policy set that says it must check it. so to go back you your problem, if you set a policy to not allow users to change the proxy IP and this gets applied to all PCs, if you then disable or delete this policy that change is not reflected on the user PCs automatically because there is no policy telling it to. Machines in essence are dumb; it would be great if the OS knew its default and was intelligent enough to know that if there is no policy in place telling me I must have a particular setting then I should change my setting to whatever the factory default is. The problem lies in the fact that not every machine is part of a domain that uses GPOs there are lots of small offices where the sys admin will manually go to each PC and make the setting changes on the local user/machine policy on that PC.  So what it comes down to is this:

if there is no Policy specifically saying a setting MUST be a certain way then the machine will just leave that setting in whatever state it is?

so best practice is that if you apply a policy and you want to remove that policy you need to do one to reverse it. By that I mean you need to create a policy that makes the setting whatever its default is. So to do that you first need to know what the default is. That’s where it gets real messy.

I'm getting confused myself here with what you want to actually do no. do you

A) Want to apply a proxy IP to all users and make it so they cannot change the IP address
B) Want to apply a proxy to all users and make it so they can change IPs if they want
C) Want no proxy and make it so users cannot add a proxy IP
d) Want no proxy and make it so that users can add a proxy IP

In relation to people being on different shits you could put each shift into a different OU

so shift 1 goes into OU1 and get policy 1, once your satisfied that all is well you apply po0licy 2
Shit 2 gets goes into OU2 and gets policy 1 and again you wait to see if all is well before applying policy 2 and so on.

at least that way you are hitting the people as they sign on, making that change and applying what you need to for that shift and then when the next shift comes in they are hit with the policy and so on. Remember that policies are independent to ous so you create the policy and link it to the ou, not just the domain
0
 
LVL 1

Author Comment

by:ECENTER
Comment Utility
Thanks for the reply.  I want (in your choices above) to perform C) Want no proxy and make it so users cannot add a proxy IP.

If I have to apply a poilcy turning on a proxy well, that will affect users who are actually using their computers (we have no proxy server) and cannot wait for all computers to log onto the network to recieve the policy to then reverse that policy.  It simply makes no sense why there isn't an option in the domain policy to 1.  Make sure that using a proxy server is not checked.  and 2. Disabling the ability to change that setting.  Why does that have to be so complicated???
0
 

Expert Comment

by:faolchu
Comment Utility

What I'd try then is set a policy that has proxy enabled but don't actually put in an ip. If I'm right it should clear the ip, set a second setting. In the sa€e policy that does not stop people from changing proxy setting. Then on a case by case basis for each user that then has an issue with accessing the web ie users that do have an ip manually remove the ip setting. A week later changes. This policy so that proxy ip is noyt enables and also locks the setting so users can not change it.

I can't think of an easier way or a way you can automatically switch over it will require some manual intervention
 
0
 
LVL 1

Author Closing Comment

by:ECENTER
Comment Utility
This seems to be the best option although, it would still be a good idea if domain policy settings allowed to have the proxy option unchecked, blank, and set to not allow users to modify it.  Negative points for Microsoft.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL checker internal 4 30
discontiguous network and EIGRP 12 37
active directory 17 34
active directory 3 20
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now