Link to home
Start Free TrialLog in
Avatar of aungelbach
aungelbachFlag for United States of America

asked on

Pushing Proxy Address Through Default Group Policy but excluding certain users

Hello Experts;

We have a client which is running Windows 2008 R2 Active Directory, has abou 15 OU's and we are pushing proxy settings from the default group policy.  Currently, the group policy is being deployed to every single user in the AD domain.  The client never had remote users before and now has about 4 people (in different OU's) that need to be able to access the internet while offsite.  These users currently use windows VPN and if they can connect to VPN then they can get to the internet (slow because it is pushed through the tunnel).  In some cases, the WiFi network they are connected to will require them to go to their landing page and logon to the WiFi network before accessing the interent.  Places like McDonalds and Hilton Hotels will have this requirement as an example.

What i am trying to do is remove the proxy settings for these 4 users and i am trying to do this with leaving them in their OU's but not removing the proxy setting from other users within the same OU.  I am looking for suggestions on how to handle this.  It will be ok if these 4 users do not have the proxy settings at all.
Avatar of Chris
Flag of United Kingdom of Great Britain and Northern Ireland image

You could try something like ProxyPal from it adds a button to the IE toolbar which toggles the proxy on and off, makes it easy enough for anyone to manage.
Avatar of aungelbach


I do not think this will be a possibility since the proxy is in place to limit who can get on the internet.  Unless I can give just these users the ability to turn it on and off, do you know how it is controlled by the security policies?
Just use security filtering on the GPO. Go to GPO click on it, in the right hand pane click on Delegation tab, click on advanced, add your users and click the Deny box next to "Apply group Policy"
I would create a group in AD, and GPO to remove the proxy for users in that group.

Then simply add the 4 users to that group.

Security Filtering would work, however GPO as a whole will not be applied to those users. If the GPO in question handles more than just a proxy setting, this is not the route you would want to go.
The main reason i want to leave the users in their respective OU's are because i have the GP's mapping their drives for their department.  If i move them all to one group this will be difficult.
Also, the proxy setting is being pushed down from the default domain policy GP
I'll throw in for security group filtering, too, but I had a couple more details to add.

One, now that the GPO settings are applied, simply denying certain users from read/apply on that policy won't change their proxy settings back. You will need to make a separate policy to reset the proxy settings back to null, and have those users apply it.

You might also consider using a WMI filter for subnet as the filter for who gets what proxy settings. That way you can differentiate between people on machines that are on internal subnets and people on machines that are not on internal subnets. Not sure how that would work with cached credentials remotely, before logging on the VPN, but it's an interesting idea.
I meant add an additional group to the users AD accounts, leaving the groups they are currently a member of.

This would keep the accounts where they are, keep the rest of your policy, and allow you to easily add more users if needed.
So i create a security group in AD called "No Proxy" and add these users to that group.  Then in GP Management, i create a new GP called "No Proxy".  How do i apply that GP to a security group?  I have always applied those to a OU.
Avatar of Chris
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Once the GPO is made, in the group policy management console find the GPO, link it to the OU's needed, and under security filtering add the AD group you created.

You will have to pay attention on how/where you link it and push the policy out, youll want the No proxy gpo to run last, as the last to run will be the policy takes.

In my environment, we have a default policy of limited internet access through a proxy. We then have a open internet and intranet only group. So everyone get limited by default, and then if the user is in one of the other groups then they get that access.

10,000+ User environment over multiple sites with no issues getting the correct proxy/policy, but you have to make sure the policies run in the correct order and are linked up correctly.