Solved

Exclude computers from user settings GPO

Posted on 2012-03-19
12
724 Views
Last Modified: 2012-03-26
I have created a GPO to apply proxy settings to Internet Explorer in the User setting bit of the GPO.

I want to however exclude these settings from being applied if the user logs onto their domain joined laptop. All the laptops are in their own AD OU.

Any ideas what the best way of going about this would be?

Thanks
0
Comment
Question by:shipowners
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 37739517
Not pretty but you can enable loopaback processing and link a user GPO to that OU

More on loopback   http://www.sdmsoftware.com/general-stuff/please-explain-loopback-processing/

Then those user settings can apply on those machines.

Thanks

Mike
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 37739518
That is why pushing "proxy settings" with GPO is always a bad idea.  It can't handle the flexibility needed with Laptops.

You should be applying the proxy via WPAD.  It has the intelligents to allow the laptops to run directly when they travel and are off the LAN.

This is in the context of MS's ISA or TMG Server but the same priciple applies to all.  WPAD is an industry standard and an industry protocol,...it is not an "MS thing".
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37740299
Why is Loopback not pretty?

If the OU structure is as such it seems logical to apply it this way.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37740306
Just that loopback can get tricky to troubleshoot and can be confusing for some people.

Generally used for TS boxes.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 37740404
This is great practice.
If you are dealing with the OU structure stated it is not that tricky since GPO would be applied to the OU with a higher precedence over other User settings applied under the User OU.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37740486
I understand but even Darren in his post said

but in fact, loopback processing confounds a lot of folks.

I've seen a lot of people with questions/issues.  I remember it took me time to get it years ago.

Thanks

Mike
0
 

Author Comment

by:shipowners
ID: 37742730
Thanks All,

I have gone with the Loopback Policy Processing (as all our laptops are in the one OU) and given that a quick test, which appears to be working well so far. (I understand that the WPAD is probably the better option, but due to time constraints will have to be something to look at in the future.)

I will perform a few more tests and let you know how it goes.

Cheers
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37743101
Ditch the GPO idea

Use WPAD
0
 

Author Comment

by:shipowners
ID: 37746459
Hi pwindell,

I realise that WPAD is the better option in the long run. We have 2 remote sites each with their own DHCP server which would need to be pointed at their local proxy servers. Is it possible to do this with one PAC file hosted at our main site or would it require one for each site? And therefore a web server at each site too?

I have found these sites:

http://www.hack.net.br/webpac/

http://www.findproxyforurl.com/wpad_tutorial.html

Would you agree that these are a good place to start? I am keen to try use Ubuntu Server with Apache (something I am new to too...)

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37747675
As far as the WPAD tutorial,...I have my own:
http://phillipwindell.wordpress.com/tech-pages/isatmg/wpad-setup/
It is centered around ISA/TMG but the principles apply to any proxy.

I don't know about the PAC files,...I never use them.  ISA/TMG generate their "script" on the fly and holds it in RAM only (no physical file) and it is based on, built from, the entire overall config of the ISA/TMG,...so everything always "matches up" like it should.

Can you define different proxys for different clients with a single Pac File?   I think you can,..but I can't help you there,...like I said,..I never use Pac Files.

To clarify things a bit, using a Pac File and using WPAD are two separate things.  WPAD does not auto-detect the proxy,...it auto-detects the script file.  It is then after that, that the Script file detects the Proxy.   So you can use a Pac file without using WPAD if you statically set the user's browser to use a particular Pac file (whether by manually setting or by GPO is up to you).

So:
Step 1: WPAD ---> detects/finds the Script file (whether a WPAD, WSPAD, or PAC File is irrelevant)
Step 2: Script file ---> detects and determines the proxy that is used.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37747725
WPAD via DNS   =   Is global for the entire Organization because the entire organization uses the same DNS.

WPAD via DHCP   =  Only useful for Client that use DHCP (obviously).  Can be global for all DHCP Client using that DHCP Server if it is set in the Server Options.  but it can supply a different Script to clients in different subnets if you apply it as a Scope Option instead of a Server Option.

I have found that not all clients seems to work with it over DNS (OS versions, service pack levels, user authority level all can make a difference).   By the same token with DHCP,...it can only be used by DHCP Clients,....statically assigned Clients can't use it via DHCP.   Therefore I always use both together, and I only have one proxy for the entire Organization.
0
 

Author Closing Comment

by:shipowners
ID: 37764811
giving the points to both solutions as the Loopback have solved the problem in the short term, but i will definately be looking at the WPAD in the long run.

Thanks for your help!

shipowners
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now