dongocdung
asked on
Group Policy is not linked or enabled but user PCs get that policy
ASKER
I have no idea why it is there twice. There is no duplicate group policy in Group Policy console. Do you mean that I copy the grou policy "IE Auto Script setting for google web proxy" and make a new one? I am not sure I get your point. thanks,
Helo,
did you had a gpupdate /force on the target computer after you change the GPO?
Are you sure that your replication is OK in the domain?
Dan
did you had a gpupdate /force on the target computer after you change the GPO?
Are you sure that your replication is OK in the domain?
Dan
ASKER
Look at \\domainame\sysvol as was suggested! you may have conflicting references.
Certain policies could be cached on the client computers and if not removed correctly might still be applying.
One option trying the update force route.
Using GPMC to run a policy results wizard could identify the setting emanating from a different GPO/GPP.
Certain policies could be cached on the client computers and if not removed correctly might still be applying.
One option trying the update force route.
Using GPMC to run a policy results wizard could identify the setting emanating from a different GPO/GPP.
Have you looked at the Group Policy Object Folder in GPMC and see what or if the GPO you have in question is linked to a OU.
GPMC > Group Policy Object > Click on the GPO in question and look at the Scope Tab. See if the item is linked to OU.
GPMC > Group Policy Object > Click on the GPO in question and look at the Scope Tab. See if the item is linked to OU.
The GPO can be linked to OU and to Sites. So if you don't want that this GPO came to your PC remove the link from the sites.
Dan
Dan
ASKER
The New York site has three branches including Roschester, Buffalo and Utica. I only want to remove this group policy from Roschester in New York. However, I don't see these branches in Group Policy console. I don't want to remove thes group policy from Buffalo and Utica branches in New York. Thanks,
In the GPO console you have a "SItes" link. Rigth click and select "show sites"
ASKER
ASKER
I set "Enforce" for other group policies and set "Block Inheritance" for Roschester OU. I hope it will block this group policy "IE Auto Script setting for google web proxy"
You have all this at domain level? And all enforced - why?
And the GPO IE Auto Script setting for google web proxy is not linked there.
Anyway a GPO can comme from:
-user account (if not in the default user OU)
-computer account (if not in the default computer OU)
-site
So find how The GPO is applyed to you.
You can use block GPO inheritance, but I prefferd that you don't use that.
Dan
And the GPO IE Auto Script setting for google web proxy is not linked there.
Anyway a GPO can comme from:
-user account (if not in the default user OU)
-computer account (if not in the default computer OU)
-site
So find how The GPO is applyed to you.
You can use block GPO inheritance, but I prefferd that you don't use that.
Dan
carrefoul: Block is for all upper GPO object....
ASKER
That group policy is linked to Sites not OU. So, users and computers under OU get inherited this group policy. I don't want Roschester OU to have this policy. That is why I set "block inheritance" in this OU.
ASKER
I am thinking to create a new group policy which has all settings are opposite with the current one. Then, link it to Roschester OU but I am not sure it works properly.
I would test by blocking inheritance on that desired OU.
where do the Users account reside for each location?
If it worked properly there should be no Domain GPO applied.
If you see any then the user object is not in the proper OU
where do the Users account reside for each location?
If it worked properly there should be no Domain GPO applied.
If you see any then the user object is not in the proper OU
You should check with the top level AD admin whether this policy is necessary to be pushed to all OUs.
Higher ups may have a specific reason they are pushing this GPO through out. It could also be an oversight and if raised, could resolve yours and possibly others issue with regard to this and possible other.
Higher ups may have a specific reason they are pushing this GPO through out. It could also be an oversight and if raised, could resolve yours and possibly others issue with regard to this and possible other.
ASKER
I would like to remove the setting in IE "Use Automatic configuration Script". I configured another GPO and uncheck "Automatic detect configuration settings" and not configured "Automatic Browser Configuration" but I still see the proxy .pac file there.
Please take a look at the screenshots below.
AM.jpg
Please take a look at the screenshots below.
AM.jpg
The Loopback setting GPO needs to be placed in the OU where the computer resides.
Is that the case here?
If not then this setting will never apply to a computer a user you are targeting is on.
Is that the case here?
If not then this setting will never apply to a computer a user you are targeting is on.
ASKER
I applied the loopback already
I understand that, but I want to make sure that if GPO w/ Loopback is being applied to the proper OU that contains the computer.
If you Have a GPO linked to a lower level OU or a Blocked inheritance OU then your setting will never apply to the user.
Can you post a screenshot of your entire GPMC and all the linked GPO exposed.
If you are concerned about privacy then please message it to me.
I will send you my personal e-mail address so it is not a public advertisement.
If you Have a GPO linked to a lower level OU or a Blocked inheritance OU then your setting will never apply to the user.
Can you post a screenshot of your entire GPMC and all the linked GPO exposed.
If you are concerned about privacy then please message it to me.
I will send you my personal e-mail address so it is not a public advertisement.
I see that you are enforcing every GPO.
Is there a reason for this? If you have a GPO that has a setting prior to apply the No Proxy setting the original setting takes precedence.
I would create an Isolated OU and apply the GPO without enforcement and see if it applies.
I think your Enforcements might be the cause.
Is there a reason for this? If you have a GPO that has a setting prior to apply the No Proxy setting the original setting takes precedence.
I would create an Isolated OU and apply the GPO without enforcement and see if it applies.
I think your Enforcements might be the cause.
ASKER
I just linked this group policy "No Proxy" to only IT OU and removed the without enforcement but it still did not work. I still cannot remove the check on "Use Automatic configuration script". I wonder why that box is checked and the .pac file is there already. Did another GPO still linked to our domain? Please take a look at the screenshot for details. Thanks
But I do not see Blocked Inheritance enabled.
So the enforce GPO take precedence over any GPO's
To test this properly you need to Isolate the OU by blocking any other GPO's from applying.
Note: I would put both the user and computer in this OU so you do not have any possibility of other GPO's applying.
So the enforce GPO take precedence over any GPO's
To test this properly you need to Isolate the OU by blocking any other GPO's from applying.
Note: I would put both the user and computer in this OU so you do not have any possibility of other GPO's applying.
ASKER
other GPOs have the setting "Enforce". they still apply to any OUs even I block inheritance. It still did not work when I linked only "No proxy" GPO on Computers OU
And you have both the User and Computer in that OU?
ASKER
I applied the "No Proxy" GPO to PCs OU only with "Merge" loopback. This time, I changed the setting "Automatically detect configuration settings" to Enabled nothing for "Automatic Browser Configuration". However, i check i IE, it still did not work. it means the group policy "No Proxy" still did not apply to PCs OU.
But I still do not see Blocked inheritance enable for that OU.
I do understand that you are using LOOPBACK, but you need to move both User and Computer Objects that you are testing with into the OU that has those policies.
This along with Block inheritance will at least isolate any outside source (GPO) interfering or stepping on the setting you are trying to validate.
I do understand that you are using LOOPBACK, but you need to move both User and Computer Objects that you are testing with into the OU that has those policies.
This along with Block inheritance will at least isolate any outside source (GPO) interfering or stepping on the setting you are trying to validate.
ASKER
Your report shows a lot more than one GPO being applied for a OU that has only one GPO linked to it.
http://technet.microsoft.com/en-us/library/cc731076.aspx
GPO links that are enforced cannot be blocked from the parent container
I am going to assume that there is an enforced setting that is taking precedence as stated prior.
I never recommend enabling enforce on any GPO unless it is 100% mandatory for all items in your domain under the parent OU that has the linked GPO.
For the best control you want to use SCOPE, WMI and proper OU structure for your environment.
http://technet.microsoft.com/en-us/library/cc731076.aspx
GPO links that are enforced cannot be blocked from the parent container
I am going to assume that there is an enforced setting that is taking precedence as stated prior.
I never recommend enabling enforce on any GPO unless it is 100% mandatory for all items in your domain under the parent OU that has the linked GPO.
For the best control you want to use SCOPE, WMI and proper OU structure for your environment.
ASKER
I did mention above that I cannot block other group policies because of enforcement.
I am going to assume that there is an enforced setting that is taking precedence as stated prior.
I never recommend enabling enforce on any GPO unless it is 100% mandatory for all items in your domain under the parent OU that has the linked GPO.
For the best control you want to use SCOPE, WMI and proper OU structure for your environment.
See if you can remove the enforcement.
I never recommend enabling enforce on any GPO unless it is 100% mandatory for all items in your domain under the parent OU that has the linked GPO.
For the best control you want to use SCOPE, WMI and proper OU structure for your environment.
See if you can remove the enforcement.
ASKER
I am confused. The other group policies do not relate anything to the GPO "No Proxy". Do you think removing "Enforce" setting of the other GPOs make this "No Proxy" work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just removed all GPOs ' enforcement. Let 's see what happens. Thanks,
Good luck.
ASKER
I found out that proxy settings were configured using desktop authority. That is why I could not remove them using Group Policy. I asked my co-worker to remove that setting from desktop authority and then it works. Thanks,
Glad it worked.
I'd suggest making a note of all the settings in the working policy you want, making a new GPO with them in and deleting anything existing called "IE Auto Script setting for google web proxy" in Group Policy objects at the bottom of the GPMC tree. You'll then need to make sure they're all properly linked again.
Jack