Link to home
Create AccountLog in
Avatar of Christian Palacios
Christian PalaciosFlag for Canada

asked on

AD Group Policy Problem

Hi there,

We have a DMZ domain (dmz.local) that we recently make changes to the Group Policy.  We modified the Default Domain Policy with these settings:

Certificate - Added a certificate in the Trusted Root Certificate Authorities
Automatic Browser Configuration - Set a auto-proxy URL (.pac file)

When we update the group policy on a test server, the certificate gets installed, but the automatic browser configuration isn't set.  We are logging in using a domain user account so we are authenticating.  Any suggestions as to why the browser configuration isn't working?

Thanks,
- Christian
Avatar of dhoffman_98
dhoffman_98
Flag of United States of America image

Did you set the browser configuration in the machine settings or in the user settings?

What OU is the machine in?
What OU is the user in?

Is your security filter in the GPO applied to "Authenticated Users"?

Is the GPO linked to the top level of the domain (where the Default Domain Policy should be?)
Avatar of Christian Palacios

ASKER

I set the browser configuration here:

Default Domain Policy -> User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> Connection

The computer is under dmz.local -> Computers.
The user is under dmz.local -> DMZ Users

The only group list under Security Filtering is Authenticated Users.

Since it's the Default Domain Policy, I thought it was linked to every OU below it.  I did check it though and it says it is linked.

Thanks,
- Christian
The default domain policy is usually linked at the top domain level.

So if you look in GPMC and click on your Default Domain Policy, on the right side where it shows your links, look under the Path column. It should say dmz.local.

Next, look down at the OU for DMZ Users, and let me know if there is a blue exclamation point there. If there is, then you are blocking the inherited policy, and the user configuration is not being set properly.
Just looked at the GPMC and under path it does say dmz.local.

There is no blue exclamation point beside the DMZ Users OU.

- Christian
Ok, go to a client machine, and run: GPUPDATE /FORCE

Then check it again.

If it's still not there, run: GPRESULT > C:\GPRESULT.TXT

Check that file and make sure it's not revealing any security information you don't want revealed and post what's left as an attachment here.
Ran gpupdate but it is still not working.

Here you go:


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 7/18/2013 at 11:34:27 AM



RSOP data for CNE-FTP01\Administrator on CNE-FTP01 : Logging Mode
------------------------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.0.6002
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=CNE-FTP01,CN=Computers,DC=dmz,DC=local
    Last time Group Policy was applied: 7/18/2013 at 11:23:28 AM
    Group Policy was applied from:      REMOVED
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DMZ
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
 
        REMOVED

USER SETTINGS
--------------
   
    Last time Group Policy was applied: 7/18/2013 at 11:23:28 AM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CNE-FTP01
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        REMOVED

- Christian
OK, well it looks like the Default Domain Policy was not applied to the User object... so that's why the configuration is not there.

Check in your policy in GPMC. Select the policy, and then click the Details tab on the right.

Under the "GPO Status" does the box say "User configuration settings disabled" by any chance?

Also, click on the Delegation tab and look in the "Allowed Permissions" column and see if there are any "CUSTOM" entries. Perhaps something is there that is doing a "DENY" on the User.
Just checked the GPO Status and it's enabled.

Delegation Results:
Authenticated Users -> Read (from Security Filtering)
Domain Admins -> Custom
Enterprise Admins -> Custom

Should the delegation permissions be different?

Thanks,
- Christian
I don't suppose the user account you are testing with is a member of your Domain Admins or Enterprise Admins groups?
Actually, yeah.  I am using my Domain Admin account.  

- Christian
ASKER CERTIFIED SOLUTION
Avatar of dhoffman_98
dhoffman_98
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks.  I checked it out and unfortunately it doesn't say "deny" beside Group Policy (image attached).

- Christian
Group-Policy.JPG
OK, it doesn't say ALLOW either.
Avatar of footech
This really isn't a resolution to your problem (though you might have avoided any issue if you followed it), but it's a best practice to not edit the Default GPOs.  Instead create new ones with the settings you want to deploy.  Makes it much easier to troubleshoot and roll back if problems are encountered.
See... someone else backs up what wrote only 10 minutes ago... :P
:)

Thank you.  I created a different GPO and configured the auto browsing URL.  I logged in using a standard domain user and it worked.  I'll use this from now on.

Thank you for all your help!

- Christian
You are welcome. Glad it all worked out.