Avatar of aungelbach
Flag for United States of America asked on

Pushing Proxy Address Through Default Group Policy but excluding certain users

Hello Experts;

We have a client which is running Windows 2008 R2 Active Directory, has abou 15 OU's and we are pushing proxy settings from the default group policy.  Currently, the group policy is being deployed to every single user in the AD domain.  The client never had remote users before and now has about 4 people (in different OU's) that need to be able to access the internet while offsite.  These users currently use windows VPN and if they can connect to VPN then they can get to the internet (slow because it is pushed through the tunnel).  In some cases, the WiFi network they are connected to will require them to go to their landing page and logon to the WiFi network before accessing the interent.  Places like McDonalds and Hilton Hotels will have this requirement as an example.

What i am trying to do is remove the proxy settings for these 4 users and i am trying to do this with leaving them in their OU's but not removing the proxy setting from other users within the same OU.  I am looking for suggestions on how to handle this.  It will be ok if these 4 users do not have the proxy settings at all.
Active DirectoryWindows Server 2008

Avatar of undefined
Last Comment

8/22/2022 - Mon

You could try something like ProxyPal from http://www.bartdart.com/ it adds a button to the IE toolbar which toggles the proxy on and off, makes it easy enough for anyone to manage.

I do not think this will be a possibility since the proxy is in place to limit who can get on the internet.  Unless I can give just these users the ability to turn it on and off, do you know how it is controlled by the security policies?
Neil Russell

Just use security filtering on the GPO. Go to GPO click on it, in the right hand pane click on Delegation tab, click on advanced, add your users and click the Deny box next to "Apply group Policy"
Your help has saved me hundreds of hours of internet surfing.

I would create a group in AD, and GPO to remove the proxy for users in that group.

Then simply add the 4 users to that group.

Security Filtering would work, however GPO as a whole will not be applied to those users. If the GPO in question handles more than just a proxy setting, this is not the route you would want to go.

The main reason i want to leave the users in their respective OU's are because i have the GP's mapping their drives for their department.  If i move them all to one group this will be difficult.

Also, the proxy setting is being pushed down from the default domain policy GP
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

I'll throw in for security group filtering, too, but I had a couple more details to add.

One, now that the GPO settings are applied, simply denying certain users from read/apply on that policy won't change their proxy settings back. You will need to make a separate policy to reset the proxy settings back to null, and have those users apply it.

You might also consider using a WMI filter for subnet as the filter for who gets what proxy settings. That way you can differentiate between people on machines that are on internal subnets and people on machines that are not on internal subnets. Not sure how that would work with cached credentials remotely, before logging on the VPN, but it's an interesting idea.

I meant add an additional group to the users AD accounts, leaving the groups they are currently a member of.

This would keep the accounts where they are, keep the rest of your policy, and allow you to easily add more users if needed.

So i create a security group in AD called "No Proxy" and add these users to that group.  Then in GP Management, i create a new GP called "No Proxy".  How do i apply that GP to a security group?  I have always applied those to a OU.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Once the GPO is made, in the group policy management console find the GPO, link it to the OU's needed, and under security filtering add the AD group you created.

You will have to pay attention on how/where you link it and push the policy out, youll want the No proxy gpo to run last, as the last to run will be the policy takes.

In my environment, we have a default policy of limited internet access through a proxy. We then have a open internet and intranet only group. So everyone get limited by default, and then if the user is in one of the other groups then they get that access.

10,000+ User environment over multiple sites with no issues getting the correct proxy/policy, but you have to make sure the policies run in the correct order and are linked up correctly.