Pushing Proxy Address Through Default Group Policy but excluding certain users

aungelbach
aungelbach used Ask the Experts™
on
Hello Experts;

We have a client which is running Windows 2008 R2 Active Directory, has abou 15 OU's and we are pushing proxy settings from the default group policy.  Currently, the group policy is being deployed to every single user in the AD domain.  The client never had remote users before and now has about 4 people (in different OU's) that need to be able to access the internet while offsite.  These users currently use windows VPN and if they can connect to VPN then they can get to the internet (slow because it is pushed through the tunnel).  In some cases, the WiFi network they are connected to will require them to go to their landing page and logon to the WiFi network before accessing the interent.  Places like McDonalds and Hilton Hotels will have this requirement as an example.

What i am trying to do is remove the proxy settings for these 4 users and i am trying to do this with leaving them in their OU's but not removing the proxy setting from other users within the same OU.  I am looking for suggestions on how to handle this.  It will be ok if these 4 users do not have the proxy settings at all.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You could try something like ProxyPal from http://www.bartdart.com/ it adds a button to the IE toolbar which toggles the proxy on and off, makes it easy enough for anyone to manage.

Author

Commented:
I do not think this will be a possibility since the proxy is in place to limit who can get on the internet.  Unless I can give just these users the ability to turn it on and off, do you know how it is controlled by the security policies?
Neil RussellTechnical Development Lead

Commented:
Just use security filtering on the GPO. Go to GPO click on it, in the right hand pane click on Delegation tab, click on advanced, add your users and click the Deny box next to "Apply group Policy"
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
I would create a group in AD, and GPO to remove the proxy for users in that group.

Then simply add the 4 users to that group.

Security Filtering would work, however GPO as a whole will not be applied to those users. If the GPO in question handles more than just a proxy setting, this is not the route you would want to go.

Author

Commented:
The main reason i want to leave the users in their respective OU's are because i have the GP's mapping their drives for their department.  If i move them all to one group this will be difficult.

Author

Commented:
Also, the proxy setting is being pushed down from the default domain policy GP

Commented:
I'll throw in for security group filtering, too, but I had a couple more details to add.

One, now that the GPO settings are applied, simply denying certain users from read/apply on that policy won't change their proxy settings back. You will need to make a separate policy to reset the proxy settings back to null, and have those users apply it.

You might also consider using a WMI filter for subnet as the filter for who gets what proxy settings. That way you can differentiate between people on machines that are on internal subnets and people on machines that are not on internal subnets. Not sure how that would work with cached credentials remotely, before logging on the VPN, but it's an interesting idea.

Commented:
I meant add an additional group to the users AD accounts, leaving the groups they are currently a member of.

This would keep the accounts where they are, keep the rest of your policy, and allow you to easily add more users if needed.

Author

Commented:
So i create a security group in AD called "No Proxy" and add these users to that group.  Then in GP Management, i create a new GP called "No Proxy".  How do i apply that GP to a security group?  I have always applied those to a OU.
Commented:
You link the GPO to an OU which contains the users then you use security filtering so that only users in your "no proxy" group apply it.

To setup security filtering, select the GPO in GPMC. In the right hand pane there will be section labelled security filtering (lower half of pane). Remove authenticated user from here then add in the security group you just created. Any group policies set in this GPO will now only apply to that security group.

I have my doubts that this will work though as I've found previously that once proxy settings have been applied for a user account from one GPO they seem to have issues applying from a different GPO.

Commented:
Once the GPO is made, in the group policy management console find the GPO, link it to the OU's needed, and under security filtering add the AD group you created.

You will have to pay attention on how/where you link it and push the policy out, youll want the No proxy gpo to run last, as the last to run will be the policy takes.

In my environment, we have a default policy of limited internet access through a proxy. We then have a open internet and intranet only group. So everyone get limited by default, and then if the user is in one of the other groups then they get that access.

10,000+ User environment over multiple sites with no issues getting the correct proxy/policy, but you have to make sure the policies run in the correct order and are linked up correctly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial