Exclude computers from user settings GPO

I have created a GPO to apply proxy settings to Internet Explorer in the User setting bit of the GPO.

I want to however exclude these settings from being applied if the user logs onto their domain joined laptop. All the laptops are in their own AD OU.

Any ideas what the best way of going about this would be?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Not pretty but you can enable loopaback processing and link a user GPO to that OU

More on loopback   http://www.sdmsoftware.com/general-stuff/please-explain-loopback-processing/

Then those user settings can apply on those machines.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
That is why pushing "proxy settings" with GPO is always a bad idea.  It can't handle the flexibility needed with Laptops.

You should be applying the proxy via WPAD.  It has the intelligents to allow the laptops to run directly when they travel and are off the LAN.

This is in the context of MS's ISA or TMG Server but the same priciple applies to all.  WPAD is an industry standard and an industry protocol,...it is not an "MS thing".
yo_beeDirector of Information TechnologyCommented:
Why is Loopback not pretty?

If the OU structure is as such it seems logical to apply it this way.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Mike KlineCommented:
Just that loopback can get tricky to troubleshoot and can be confusing for some people.

Generally used for TS boxes.
yo_beeDirector of Information TechnologyCommented:
This is great practice.
If you are dealing with the OU structure stated it is not that tricky since GPO would be applied to the OU with a higher precedence over other User settings applied under the User OU.
Mike KlineCommented:
I understand but even Darren in his post said

but in fact, loopback processing confounds a lot of folks.

I've seen a lot of people with questions/issues.  I remember it took me time to get it years ago.


shipownersAuthor Commented:
Thanks All,

I have gone with the Loopback Policy Processing (as all our laptops are in the one OU) and given that a quick test, which appears to be working well so far. (I understand that the WPAD is probably the better option, but due to time constraints will have to be something to look at in the future.)

I will perform a few more tests and let you know how it goes.

Ditch the GPO idea

shipownersAuthor Commented:
Hi pwindell,

I realise that WPAD is the better option in the long run. We have 2 remote sites each with their own DHCP server which would need to be pointed at their local proxy servers. Is it possible to do this with one PAC file hosted at our main site or would it require one for each site? And therefore a web server at each site too?

I have found these sites:



Would you agree that these are a good place to start? I am keen to try use Ubuntu Server with Apache (something I am new to too...)

As far as the WPAD tutorial,...I have my own:
It is centered around ISA/TMG but the principles apply to any proxy.

I don't know about the PAC files,...I never use them.  ISA/TMG generate their "script" on the fly and holds it in RAM only (no physical file) and it is based on, built from, the entire overall config of the ISA/TMG,...so everything always "matches up" like it should.

Can you define different proxys for different clients with a single Pac File?   I think you can,..but I can't help you there,...like I said,..I never use Pac Files.

To clarify things a bit, using a Pac File and using WPAD are two separate things.  WPAD does not auto-detect the proxy,...it auto-detects the script file.  It is then after that, that the Script file detects the Proxy.   So you can use a Pac file without using WPAD if you statically set the user's browser to use a particular Pac file (whether by manually setting or by GPO is up to you).

Step 1: WPAD ---> detects/finds the Script file (whether a WPAD, WSPAD, or PAC File is irrelevant)
Step 2: Script file ---> detects and determines the proxy that is used.
WPAD via DNS   =   Is global for the entire Organization because the entire organization uses the same DNS.

WPAD via DHCP   =  Only useful for Client that use DHCP (obviously).  Can be global for all DHCP Client using that DHCP Server if it is set in the Server Options.  but it can supply a different Script to clients in different subnets if you apply it as a Scope Option instead of a Server Option.

I have found that not all clients seems to work with it over DNS (OS versions, service pack levels, user authority level all can make a difference).   By the same token with DHCP,...it can only be used by DHCP Clients,....statically assigned Clients can't use it via DHCP.   Therefore I always use both together, and I only have one proxy for the entire Organization.
shipownersAuthor Commented:
giving the points to both solutions as the Loopback have solved the problem in the short term, but i will definately be looking at the WPAD in the long run.

Thanks for your help!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.