Group Policy Won't Update "Use Automatic Configuration Script"

Posted on 2011-02-22
Medium Priority
Last Modified: 2012-05-11
We are about roll out Scansafe and point all users to the pac file that will point them to the proxy.  Our Scansafe rep told us that we could use Group Policy to do this by going to:

User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Automatic Browser Configuration

and doing the following:
 - checking "Enable Automatic Configuration"
 - entering the path to the pac file ("http://[server name]/[pac file]") in the field for "Automatic proxy URL".  (when we put this path in directly into Internet Options > Connections, it works fine)

However, once I force a gpupdate, and verify that my user is getting the group policy (through gpresult /r), it still does not show up in Internet Options, and if I check the registry, it's not there either.  I've tried enabling "Disable caching of Auto-Proxy scripts" as well on the gpo, but that doesn't help.  

I've tried the following custom adm, but that doesn't do anything either.
CATEGORY "Internet Explorer"
POLICY "Proxy Server Connection"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
PART "Use automatic configuration script"

Open in new window

When I look at rsop.msc and go to the Automatic Browser Configuration, it shows the correct settings as I had set them in the gpo.  On the next tab -- Auto-Cfg Detect Precedence, the gpo that this setting is in is listed first, with all gpo's showing the setting as disabled.  On the next tab -- Auto-Cfg Enable Precedence, the gpo the setting is in as at the top showing enabled, and the other gpo's show disabled.  (not sure if this matters but figured I should include it)

Anybody have any ideas why this gpo isn't updating Internet Options?  We've never had issues with GP before, and have successfully enabled standard proxies in the past, but never have worked with automatic configuration scripts before.  
Question by:cmg-support
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 24

Expert Comment

by:Mike Thomas
ID: 34959803
Have you ticked enable automatically detect settings and enable automatic configuration

I know the former should not be needed but for a recent deployment of a Websense Pac file config I found that I had an old corrupt legacy policy applying this setting, and for some reason it was messing with my policy, what i had to do was tick that box on the new policy AND ensure the old policy was no longer applying (removing the setting was not enough)

You can use RSOP to see if the policy setting is being overwritten by another policy.


Author Comment

ID: 34962086
Thanks MojoTech, but that doesn't seem to have helped.  Although it shows that that policy's settings are highest priority on the second two tabs of the Automatic Browser Configuration in rsop.msc, it does show the Default Domain Policy underneath, showing disabled.  I'm wondering if because at one point, the Default Domain Policy had Automatically Detect Settings enabled, and then it was disabled later (unchecked), if that's trumping my new group policy object.  If that's the case, I don't know how to override it.
LVL 24

Accepted Solution

Mike Thomas earned 2000 total points
ID: 34962124
That is pretty much what happened to me except it wasn't the default domain policy si i could easily deal with it, as a test try to put all the settings into the default domain policy. If it works think about recreating the default domain policy from scracth without these settings.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 34962716
Is there anyway around this?  My boss doesn't want anyone to touch the default domain policy.
LVL 24

Expert Comment

by:Mike Thomas
ID: 34964004
Not that I figured out unfortunately.

Author Comment

ID: 34999968
Update - I tested this over the weekend while no one could be affected.  I put the settings in the default domain policy, and it worked -- pushed them down to my computer.  So that was the issue.  Would be nice not to have to use that policy for these settings, but it looks like we will have to.  Thanks for the help!

Author Comment

ID: 35039590
Just an update to this -- after much googling, I found a reference to an option "Reset Browser Settings" within GP.  If you go into Internet Explorer Maintenance on the gpo, and right click on it, there is an option "Reset Browser Settings".  Doing so erases all settings from the gpo within that category.  I made a copy of our default domain policy and then tested it out on there, and it did just that -- so that it doesn't show the Automatically Detect Settings at all.  Although I haven't done this on the real default domain policy, I'm assuming once I do that, the other gpo that I set up for the pac file won't be overwritten by the default policy anymore.

Expert Comment

ID: 37292584
cmg-support  I just tested your theory and it worked.  We were having the same issue.  There was a previous config in the domain policy that was overwriting our "User" Internet Explorer Maint setting in another policy.  The domain policy was blank thus making the users settings blank.  Thanks for the tip!

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question