Solved

Grou policy not appyling on one of the computer in domain

Posted on 2011-09-12
34
205 Views
Last Modified: 2012-05-12
I have 2 domain controllers viz A and B. I have set group policy for X users. Now these X user do not have internet access, if they open internet they have access to our webamial. now these X users login with username Y from Z machines. Y user name has only access to limited things like selling application, and internet icon which works only for webmail. eveything was working fine for 3 yeras , but past few days i figured out that internet is being used from one of the Z machine.
 Z (machine) OS: windows xp
Server : microsoft windows 2003
0
Comment
Question by:mohsin24
  • 14
  • 9
  • 5
  • +2
34 Comments
 
LVL 22

Expert Comment

by:chakko
ID: 36522861
How does your policy block internet access?  Have you seen the user at Z machine access the internet - what program were they using?

at the machine do a gpresult command and see which policies are being applied.  If your policy is a user policy then logon as the suspected user account.

Also, try and see if they are logging into a local machine account?

gpupdate /force will do a manual policy refresh.  I have seen some machines get 'stuck' and a gpupdate fixes things.

Any event log errors on the PC related to GPO processing?

Lastly, you could remove the PC from the domain and re-add it again and see if that resolves the problem.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36523001
Are they local admins? Maybe editing the registry to bypass the policies restricting the access?



0
 

Author Comment

by:mohsin24
ID: 36523233
What do you mean by how does ur ploicy blocks internet. there are certain users who r under a policy who have access to few things only...  and no need to mention these users are having acces to internet where they shud not be able to. I have accessed internet personally from that machine. no they r not logging in to local account, they r logging in to domain.  
gpupdate /force
remove the PC from the domain and re-add it again both done before. changed the PC name and removed it from active directory and then re added. but still no good.
One more thing i would like to add over here, it is only 3 machines out of 12 from where this internet access is working. there is only one user ID we use to login for all the users which is user ID X for all the 12 machines. and internet is working on 3 machines out of 12. rest 9 are still restricted.  
Any solution ???????
0
 
LVL 2

Expert Comment

by:KevSta
ID: 36523374
Are these machines in a differnet OU in Active Directory? Could be the Policy is not the same for these as the other 9.
0
 
LVL 22

Expert Comment

by:chakko
ID: 36523409

what about gpresult  ?  does is show that the relevant policy is being applied on the problem machines?

any errors in the Event Logs?

0
 
LVL 22

Expert Comment

by:chakko
ID: 36523446
Are they using a proxy setting in IE to bypass your internet access restriction method?
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36523566
What do you mean by how does ur ploicy blocks internet.

It's a simple question.  Which specific settings in the Group Policy do you use to prevent access to the internet for these machines?  there is no Group Policy setting 'Prevent Internet Access except for our Webmail', so you must be using some combination of settings to enforce this.  You tell us what these settings are and we'll tell you why they're not working.
0
 

Author Comment

by:mohsin24
ID: 36526066
@KevSta: No they are in same OU and all the 12 machines are in same GP. just to let you know 3 years it was working fine but now all of a sudden i m facing tis problem.
@johnb6767:they r not local admins
@chakko: I have attached the GPresult and error log as well of that machine. No they are not using any proxy as they do not have access to connection tab to internet option.
@marcustech:I have attached image file of GP for those machine.
 Internet Explorer Maintenance GPGP-RESULT.txt
event.txt
0
 
LVL 2

Expert Comment

by:KevSta
ID: 36528129
Have you changed a Switch recently or changed the config on an existing switch. Have you checked the network setting of the machine ipconfig /all? Just to make sure they are using the same gateway etc.
0
 

Author Comment

by:mohsin24
ID: 36528626
No i haven't changed the switch.. and i have checked ipconfig /all... they all have d same gateway and there is no difference in the network settings from other machines.
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36529120
OK that GPresult isn't very informative.  You will need to log in as the user in question and run gpresult with the /v (verbose) switch.  Are the group policy items you've configured part of your default domain policy or in a seperate policy?  Is it possible that the users are using an alternate browser to Internet Explorer to access the internet?
0
 

Author Comment

by:mohsin24
ID: 36534234
Yes its a part of my default domain policy. no they are not using alternate browser it is internet explorer. i have attached two files. gpresult /v and gpresult z. pls help.
gpresultv.txt
gpresultz.txt
0
 

Author Comment

by:mohsin24
ID: 36559016
Any resolution Master marcustech, the way u were asking question, it sounded like u will solve the problem once i provide u with details...
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36559517
Well one way a user could bypass this restriction would be to set up a proxy server proxying http on port 1001 and then add a HOSTS entry for NOACCESS = my personal proxy server.  Could you change the proxy to 127.0.0.1 instead of NOACCESS?  I doubt that that is the cause of your problems though.

How do you know that users are accessing the internet on these machines?

Also your group policy screenshot shows all protocols proxied to NOACCESS, but the gpresult shows http only to NOACCESS and all other protocols through emirates.net.ae

also: http://technet.microsoft.com/en-us/library/cc978526.aspx
0
 

Author Comment

by:mohsin24
ID: 36560332
@ Marcustech:There is no way that they can set the proxy settings as the connection tab is disabled by their login.
if there is another way to do so i m nt aware of it.
How do i know if they are accessing internet, Well i am writing you this response from that machine from where internet shouldnt work but it is working.
I can format the computer but i want to find out the cause that how did it happen. so if anyone knows anything pls let me know.
0
 
LVL 22

Expert Comment

by:chakko
ID: 36560522
Please try these things.

ping noaccess

any response?  if yes, what is it.

ping 8.8.8.8

any repsonse?  what is it.

ping www.whatismyipaddress.com

any repsonse?  does it resolve to an IP (something like 140.239.x.x)

From Internet Explorer go to:    www.whatismyipaddress.com

then from another computer which can access the internet, try the same URL above and compare the IP address reported.  Are they the same or different?  Does it show any proxy info?



0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 12

Expert Comment

by:marcustech
ID: 36561263
mohsin 24, you missed my point.  Currently they should be proxying through NOACCESS, which I presume doesn't exist.  All they have to do is make NOACCESS resolve to a proxy server of their choice.  Therefore, test with the proxy set to 127.0.0.1.

You can see if you are going through any proxy by going to this site: http://www.lagado.com/proxy-test
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36564564
@ Marcustech:There is no way that they can set the proxy settings as the connection tab is disabled by their login.
if there is another way to do so i m nt aware of it.

If they have access to Regedit, or CMD.exe, they can change the proxy setttings there....

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

By default they have Full Control of their reg hvie (bout 95% of it) even as a limited user....
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36565669
The connection tab is greyed out.  They have proxy set as http proxy through 'NOACCESS'.  So they could potentially rig the DNS or the HOSTS so that 'NOACCESS' resolves to an existing proxy of their choice.

I'm not suggesting that they are doing this, but it's possible.
0
 

Author Comment

by:mohsin24
ID: 36573327
@johnb6767:

ping noaccess : No reply

ping 8.8.8.8: Yes there is a reply but i dont know what is it. i tried using nbtstat –a ipaddress command but it says host could not be found.

ping www.whatismyipaddress.com: No reply yes it resolves to 67.203.X.X
Visits www.whatismyipaddress.com and give my public IP which is 84.255.X.X

then from another computer which can access the internet, try the same URL above and compare the IP address reported.  Are they the same or different?  Does it show any proxy info?: No there is no proxy info:
There is no difference except for the IP address and which is obvious as it is two different machine.

@johnb6767:No they do not have access to cmd or regedit. the command prompt window is also disabled. and even if they create a X.bat file, cmd prompt opens and as soon as u press any key from keyboard the cmd  window vanishes due to policy restriction.
I tried http://www.lagado.com/proxy-test. it says it is not coming from proxy server.
I cannot set the proxy to 127.0.0.1. as it blocks my internal mail for them.
0
 

Author Comment

by:mohsin24
ID: 36573478
if anyone wants to access that computer pls write me on zullu_20@yahoo.com
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36573712
mohsin24, I would strongly advise against soliciting remote access support in a public forum.  Anyone could email you claiming to be a top Expert.

You should be able to set the proxy to 127.0.0.1 and leave the settings 'do not use proxy for: xxx, xxx, xxx '  and 'do not use a proxy for intranet'

You say that when you ping NOACCESS you get no reply.  Does it resolve to an IP?
0
 

Author Comment

by:mohsin24
ID: 36574361
@ marcustech: First of all i cannot set proxy through this login as the connection tab is disabled, i will have to login thru admin to change that and if i do that with admin it will only restrict me through that login. once again when i login with the problematic user log in it will be able to browse internet. so ur trick works but not for this login where  connection tab is disable. or if there is other way to do so pls tell me i will try that as well.
0
 

Author Comment

by:mohsin24
ID: 36574384
NO it didnt ping neither it resolved NOACCESS
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36574587
I meant you could change the proxy set by group policy to 127.0.0.1 instead of NOACCESS.  However since the group policy isn't applying properly at the moment, this is a moot point.

In the gpresult we see this section:

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   NOACCESS:1001
            Secure Proxy Server: emirates.net.ae:1001
            FTP Proxy Server:    emirates.net.ae:1001
            Gopher Proxy Server: emirates.net.ae:1001
            Socks Proxy Server:  emirates.net.ae:1001
            Auto Config Enable:  No
            Enable Proxy:        Yes
            Use same Proxy:      Yes

Are the emirates.net.ae proxies configured in the other GP which was applied, GP-POS?  Also in the gpresult files the 'Group Policy was applied from:...'   is blank - did you redact the name of the DC from here?

0
 

Author Comment

by:mohsin24
ID: 36575119
Yes thats the point, how come GP is working on other computer and not on this computer. i repeat once again i have 12 machines out of which 8 machines work fine and 4 machines has access to internet and all the machines login with one user from which there is no access to internet. except for these problematic 4 machine.
I really feel that applying the new proxy setting on group policy will just wont work as you said the group policy is not applying properly at the moment and secondly why this policy is not allowing the other four machine to access internet. so i really doubt that changing the proxy from group policy is the culprit. as the problem seems to be in the machine. i feel that someone is fidgeting  around with the computer.
I can format the machine  but m a bit scared that what if i format the machine and that culprit changes the settings once again.... there is access to internet.
0
 

Author Comment

by:mohsin24
ID: 36575137
Yes i have edited the information from DC just to hide the identity
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36575690
Where are the client machines acquiring the emirates.net.ae proxies from?  Can you set up a test gpo for this machine with the connections tab available so you can check what ie is applying?  What version of ie - you can download the .adm files and see if this helps?  I can only find the ones for 7 or 9 at the moment, give me a while.  Also, you might as well reset the TCP/IP stack ( netsh int ipreset c:\ipresetlog.txt ) and run gpupdate /f, then test.
0
 
LVL 22

Accepted Solution

by:
chakko earned 500 total points
ID: 36580079
Not a solution, but have you tried to delete the user profile on the problem machine.  If you logon as admin and delete the profile, a new profile will be created when you logon again with the problem user account.

also,  can you clarify the ping test.

if you ping noaccess   then is the result like below?

Ping request could not find host noaccess. Please check the name and try again.

or do you get something different such as request timed out?
0
 

Author Comment

by:mohsin24
ID: 36599684
Surprise Surprise.. I deleted the profile and logged in with the same login ID and internet is not working now.. but u never know for how long.. i hope they dont get it back....  
0
 

Author Closing Comment

by:mohsin24
ID: 36599695
Deleting the profile and logging in once again solved my problem.. thank you my friend..
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36600674
Glad you got it fixed mohsin24.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Is your computer hacked? learn how to detect and delete malware in your PC
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now