Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exclude computers from user settings GPO

Posted on 2012-03-19
12
Medium Priority
?
739 Views
Last Modified: 2012-03-26
I have created a GPO to apply proxy settings to Internet Explorer in the User setting bit of the GPO.

I want to however exclude these settings from being applied if the user logs onto their domain joined laptop. All the laptops are in their own AD OU.

Any ideas what the best way of going about this would be?

Thanks
0
Comment
Question by:shipowners
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 37739517
Not pretty but you can enable loopaback processing and link a user GPO to that OU

More on loopback   http://www.sdmsoftware.com/general-stuff/please-explain-loopback-processing/

Then those user settings can apply on those machines.

Thanks

Mike
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1000 total points
ID: 37739518
That is why pushing "proxy settings" with GPO is always a bad idea.  It can't handle the flexibility needed with Laptops.

You should be applying the proxy via WPAD.  It has the intelligents to allow the laptops to run directly when they travel and are off the LAN.

This is in the context of MS's ISA or TMG Server but the same priciple applies to all.  WPAD is an industry standard and an industry protocol,...it is not an "MS thing".
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37740299
Why is Loopback not pretty?

If the OU structure is as such it seems logical to apply it this way.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 37740306
Just that loopback can get tricky to troubleshoot and can be confusing for some people.

Generally used for TS boxes.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37740404
This is great practice.
If you are dealing with the OU structure stated it is not that tricky since GPO would be applied to the OU with a higher precedence over other User settings applied under the User OU.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37740486
I understand but even Darren in his post said

but in fact, loopback processing confounds a lot of folks.

I've seen a lot of people with questions/issues.  I remember it took me time to get it years ago.

Thanks

Mike
0
 

Author Comment

by:shipowners
ID: 37742730
Thanks All,

I have gone with the Loopback Policy Processing (as all our laptops are in the one OU) and given that a quick test, which appears to be working well so far. (I understand that the WPAD is probably the better option, but due to time constraints will have to be something to look at in the future.)

I will perform a few more tests and let you know how it goes.

Cheers
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37743101
Ditch the GPO idea

Use WPAD
0
 

Author Comment

by:shipowners
ID: 37746459
Hi pwindell,

I realise that WPAD is the better option in the long run. We have 2 remote sites each with their own DHCP server which would need to be pointed at their local proxy servers. Is it possible to do this with one PAC file hosted at our main site or would it require one for each site? And therefore a web server at each site too?

I have found these sites:

http://www.hack.net.br/webpac/

http://www.findproxyforurl.com/wpad_tutorial.html

Would you agree that these are a good place to start? I am keen to try use Ubuntu Server with Apache (something I am new to too...)

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37747675
As far as the WPAD tutorial,...I have my own:
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
It is centered around ISA/TMG but the principles apply to any proxy.

I don't know about the PAC files,...I never use them.  ISA/TMG generate their "script" on the fly and holds it in RAM only (no physical file) and it is based on, built from, the entire overall config of the ISA/TMG,...so everything always "matches up" like it should.

Can you define different proxys for different clients with a single Pac File?   I think you can,..but I can't help you there,...like I said,..I never use Pac Files.

To clarify things a bit, using a Pac File and using WPAD are two separate things.  WPAD does not auto-detect the proxy,...it auto-detects the script file.  It is then after that, that the Script file detects the Proxy.   So you can use a Pac file without using WPAD if you statically set the user's browser to use a particular Pac file (whether by manually setting or by GPO is up to you).

So:
Step 1: WPAD ---> detects/finds the Script file (whether a WPAD, WSPAD, or PAC File is irrelevant)
Step 2: Script file ---> detects and determines the proxy that is used.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37747725
WPAD via DNS   =   Is global for the entire Organization because the entire organization uses the same DNS.

WPAD via DHCP   =  Only useful for Client that use DHCP (obviously).  Can be global for all DHCP Client using that DHCP Server if it is set in the Server Options.  but it can supply a different Script to clients in different subnets if you apply it as a Scope Option instead of a Server Option.

I have found that not all clients seems to work with it over DNS (OS versions, service pack levels, user authority level all can make a difference).   By the same token with DHCP,...it can only be used by DHCP Clients,....statically assigned Clients can't use it via DHCP.   Therefore I always use both together, and I only have one proxy for the entire Organization.
0
 

Author Closing Comment

by:shipowners
ID: 37764811
giving the points to both solutions as the Loopback have solved the problem in the short term, but i will definately be looking at the WPAD in the long run.

Thanks for your help!

shipowners
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question