Solved

Exclude computers from user settings GPO

Posted on 2012-03-19
12
731 Views
Last Modified: 2012-03-26
I have created a GPO to apply proxy settings to Internet Explorer in the User setting bit of the GPO.

I want to however exclude these settings from being applied if the user logs onto their domain joined laptop. All the laptops are in their own AD OU.

Any ideas what the best way of going about this would be?

Thanks
0
Comment
Question by:shipowners
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 37739517
Not pretty but you can enable loopaback processing and link a user GPO to that OU

More on loopback   http://www.sdmsoftware.com/general-stuff/please-explain-loopback-processing/

Then those user settings can apply on those machines.

Thanks

Mike
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 37739518
That is why pushing "proxy settings" with GPO is always a bad idea.  It can't handle the flexibility needed with Laptops.

You should be applying the proxy via WPAD.  It has the intelligents to allow the laptops to run directly when they travel and are off the LAN.

This is in the context of MS's ISA or TMG Server but the same priciple applies to all.  WPAD is an industry standard and an industry protocol,...it is not an "MS thing".
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37740299
Why is Loopback not pretty?

If the OU structure is as such it seems logical to apply it this way.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 37740306
Just that loopback can get tricky to troubleshoot and can be confusing for some people.

Generally used for TS boxes.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37740404
This is great practice.
If you are dealing with the OU structure stated it is not that tricky since GPO would be applied to the OU with a higher precedence over other User settings applied under the User OU.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37740486
I understand but even Darren in his post said

but in fact, loopback processing confounds a lot of folks.

I've seen a lot of people with questions/issues.  I remember it took me time to get it years ago.

Thanks

Mike
0
 

Author Comment

by:shipowners
ID: 37742730
Thanks All,

I have gone with the Loopback Policy Processing (as all our laptops are in the one OU) and given that a quick test, which appears to be working well so far. (I understand that the WPAD is probably the better option, but due to time constraints will have to be something to look at in the future.)

I will perform a few more tests and let you know how it goes.

Cheers
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37743101
Ditch the GPO idea

Use WPAD
0
 

Author Comment

by:shipowners
ID: 37746459
Hi pwindell,

I realise that WPAD is the better option in the long run. We have 2 remote sites each with their own DHCP server which would need to be pointed at their local proxy servers. Is it possible to do this with one PAC file hosted at our main site or would it require one for each site? And therefore a web server at each site too?

I have found these sites:

http://www.hack.net.br/webpac/

http://www.findproxyforurl.com/wpad_tutorial.html

Would you agree that these are a good place to start? I am keen to try use Ubuntu Server with Apache (something I am new to too...)

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37747675
As far as the WPAD tutorial,...I have my own:
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
It is centered around ISA/TMG but the principles apply to any proxy.

I don't know about the PAC files,...I never use them.  ISA/TMG generate their "script" on the fly and holds it in RAM only (no physical file) and it is based on, built from, the entire overall config of the ISA/TMG,...so everything always "matches up" like it should.

Can you define different proxys for different clients with a single Pac File?   I think you can,..but I can't help you there,...like I said,..I never use Pac Files.

To clarify things a bit, using a Pac File and using WPAD are two separate things.  WPAD does not auto-detect the proxy,...it auto-detects the script file.  It is then after that, that the Script file detects the Proxy.   So you can use a Pac file without using WPAD if you statically set the user's browser to use a particular Pac file (whether by manually setting or by GPO is up to you).

So:
Step 1: WPAD ---> detects/finds the Script file (whether a WPAD, WSPAD, or PAC File is irrelevant)
Step 2: Script file ---> detects and determines the proxy that is used.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37747725
WPAD via DNS   =   Is global for the entire Organization because the entire organization uses the same DNS.

WPAD via DHCP   =  Only useful for Client that use DHCP (obviously).  Can be global for all DHCP Client using that DHCP Server if it is set in the Server Options.  but it can supply a different Script to clients in different subnets if you apply it as a Scope Option instead of a Server Option.

I have found that not all clients seems to work with it over DNS (OS versions, service pack levels, user authority level all can make a difference).   By the same token with DHCP,...it can only be used by DHCP Clients,....statically assigned Clients can't use it via DHCP.   Therefore I always use both together, and I only have one proxy for the entire Organization.
0
 

Author Closing Comment

by:shipowners
ID: 37764811
giving the points to both solutions as the Loopback have solved the problem in the short term, but i will definately be looking at the WPAD in the long run.

Thanks for your help!

shipowners
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question