Christian Palacios
asked on
AD Group Policy Problem
Hi there,
We have a DMZ domain (dmz.local) that we recently make changes to the Group Policy. We modified the Default Domain Policy with these settings:
Certificate - Added a certificate in the Trusted Root Certificate Authorities
Automatic Browser Configuration - Set a auto-proxy URL (.pac file)
When we update the group policy on a test server, the certificate gets installed, but the automatic browser configuration isn't set. We are logging in using a domain user account so we are authenticating. Any suggestions as to why the browser configuration isn't working?
Thanks,
- Christian
We have a DMZ domain (dmz.local) that we recently make changes to the Group Policy. We modified the Default Domain Policy with these settings:
Certificate - Added a certificate in the Trusted Root Certificate Authorities
Automatic Browser Configuration - Set a auto-proxy URL (.pac file)
When we update the group policy on a test server, the certificate gets installed, but the automatic browser configuration isn't set. We are logging in using a domain user account so we are authenticating. Any suggestions as to why the browser configuration isn't working?
Thanks,
- Christian
ASKER
I set the browser configuration here:
Default Domain Policy -> User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> Connection
The computer is under dmz.local -> Computers.
The user is under dmz.local -> DMZ Users
The only group list under Security Filtering is Authenticated Users.
Since it's the Default Domain Policy, I thought it was linked to every OU below it. I did check it though and it says it is linked.
Thanks,
- Christian
Default Domain Policy -> User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> Connection
The computer is under dmz.local -> Computers.
The user is under dmz.local -> DMZ Users
The only group list under Security Filtering is Authenticated Users.
Since it's the Default Domain Policy, I thought it was linked to every OU below it. I did check it though and it says it is linked.
Thanks,
- Christian
The default domain policy is usually linked at the top domain level.
So if you look in GPMC and click on your Default Domain Policy, on the right side where it shows your links, look under the Path column. It should say dmz.local.
Next, look down at the OU for DMZ Users, and let me know if there is a blue exclamation point there. If there is, then you are blocking the inherited policy, and the user configuration is not being set properly.
So if you look in GPMC and click on your Default Domain Policy, on the right side where it shows your links, look under the Path column. It should say dmz.local.
Next, look down at the OU for DMZ Users, and let me know if there is a blue exclamation point there. If there is, then you are blocking the inherited policy, and the user configuration is not being set properly.
ASKER
Just looked at the GPMC and under path it does say dmz.local.
There is no blue exclamation point beside the DMZ Users OU.
- Christian
There is no blue exclamation point beside the DMZ Users OU.
- Christian
Ok, go to a client machine, and run: GPUPDATE /FORCE
Then check it again.
If it's still not there, run: GPRESULT > C:\GPRESULT.TXT
Check that file and make sure it's not revealing any security information you don't want revealed and post what's left as an attachment here.
Then check it again.
If it's still not there, run: GPRESULT > C:\GPRESULT.TXT
Check that file and make sure it's not revealing any security information you don't want revealed and post what's left as an attachment here.
ASKER
Ran gpupdate but it is still not working.
Here you go:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 7/18/2013 at 11:34:27 AM
RSOP data for CNE-FTP01\Administrator on CNE-FTP01 : Logging Mode
-------------------------- ---------- ---------- ---------- ----------
OS Configuration: Member Server
OS Version: 6.0.6002
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=CNE-FTP01,CN=Computers, DC=dmz,DC= local
Last time Group Policy was applied: 7/18/2013 at 11:23:28 AM
Group Policy was applied from: REMOVED
Group Policy slow link threshold: 500 kbps
Domain Name: DMZ
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------- ---------- ---------- ---------
REMOVED
USER SETTINGS
--------------
Last time Group Policy was applied: 7/18/2013 at 11:23:28 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: CNE-FTP01
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
N/A
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
REMOVED
- Christian
Here you go:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 7/18/2013 at 11:34:27 AM
RSOP data for CNE-FTP01\Administrator on CNE-FTP01 : Logging Mode
--------------------------
OS Configuration: Member Server
OS Version: 6.0.6002
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=CNE-FTP01,CN=Computers,
Last time Group Policy was applied: 7/18/2013 at 11:23:28 AM
Group Policy was applied from: REMOVED
Group Policy slow link threshold: 500 kbps
Domain Name: DMZ
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
--------------------------
REMOVED
USER SETTINGS
--------------
Last time Group Policy was applied: 7/18/2013 at 11:23:28 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: CNE-FTP01
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
REMOVED
- Christian
OK, well it looks like the Default Domain Policy was not applied to the User object... so that's why the configuration is not there.
Check in your policy in GPMC. Select the policy, and then click the Details tab on the right.
Under the "GPO Status" does the box say "User configuration settings disabled" by any chance?
Also, click on the Delegation tab and look in the "Allowed Permissions" column and see if there are any "CUSTOM" entries. Perhaps something is there that is doing a "DENY" on the User.
Check in your policy in GPMC. Select the policy, and then click the Details tab on the right.
Under the "GPO Status" does the box say "User configuration settings disabled" by any chance?
Also, click on the Delegation tab and look in the "Allowed Permissions" column and see if there are any "CUSTOM" entries. Perhaps something is there that is doing a "DENY" on the User.
ASKER
Just checked the GPO Status and it's enabled.
Delegation Results:
Authenticated Users -> Read (from Security Filtering)
Domain Admins -> Custom
Enterprise Admins -> Custom
Should the delegation permissions be different?
Thanks,
- Christian
Delegation Results:
Authenticated Users -> Read (from Security Filtering)
Domain Admins -> Custom
Enterprise Admins -> Custom
Should the delegation permissions be different?
Thanks,
- Christian
I don't suppose the user account you are testing with is a member of your Domain Admins or Enterprise Admins groups?
ASKER
Actually, yeah. I am using my Domain Admin account.
- Christian
- Christian
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks. I checked it out and unfortunately it doesn't say "deny" beside Group Policy (image attached).
- Christian
Group-Policy.JPG
- Christian
Group-Policy.JPG
OK, it doesn't say ALLOW either.
This really isn't a resolution to your problem (though you might have avoided any issue if you followed it), but it's a best practice to not edit the Default GPOs. Instead create new ones with the settings you want to deploy. Makes it much easier to troubleshoot and roll back if problems are encountered.
See... someone else backs up what wrote only 10 minutes ago... :P
ASKER
:)
Thank you. I created a different GPO and configured the auto browsing URL. I logged in using a standard domain user and it worked. I'll use this from now on.
Thank you for all your help!
- Christian
Thank you. I created a different GPO and configured the auto browsing URL. I logged in using a standard domain user and it worked. I'll use this from now on.
Thank you for all your help!
- Christian
You are welcome. Glad it all worked out.
What OU is the machine in?
What OU is the user in?
Is your security filter in the GPO applied to "Authenticated Users"?
Is the GPO linked to the top level of the domain (where the Default Domain Policy should be?)