GPO problem

I have a very convoluted issue that I can't seem to solve.

We are upgrading our environment to IE 11 from IE 8. In the past we have used IEAK distribution files to apply two different sets of configurations. The main difference between them is the proxy settings. Users at our main location have this blank and at our remote locations have the settings for our proxy server.

We are trying to move to a GPO solution for this.  So, I have set up two GPOs; one for local and one for remote. The only difference between them is the proxy settings. All of our computers are in one OU and all our users are in another OU. To resolve this issue I have set up a loopback policy in the computer config section of each GPO and set the IE changes in the user section as that's the only place I can set them (Who thought of that stupidity?). Then I have filtered each GPO by a security group that has the pertinent PCs in them. So all the ones at our main location are in a local SG and the remote ones in a remote SG. We have a utility that can determine location based on IP and create the security groups appropriately. I then apply both GPO's to the OU containing the machines. I found that this doesn't work. Even though I have the loopback set, basically the GPO doesn't change the IE settings. If I add in the Domain Users group as a filter then all the local ones are OK, but the remote ones are getting the GPO for the local settings.


LVL 28
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jhyieslaAuthor Commented:
And yes, I realize that I can actually split out the remote and local computers and put them in a separate OUs and that would work and solve my problem.  It's just easier if I don't have to do that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Double check the GPO!rules using GPMC, I think your computer restriction prevents the application of the user portion .

See if there are any errors in the attempt to apply the GPO.
AmitIT ArchitectCommented:
Is it a computer or user policy
jhyieslaAuthor Commented:
To both experts:

Most IE rules that you'd want to implement belong in the user section and I am applying this to an OU that only has computers in it. Let me digress for a moment to say that this is one of the dumbest things that MS has ever done.  Stop and think for a minute.  If you want to change connection setting for IE wouldn't you want to make that at the computer level.  The computer's not moving around, but the user is.  Proxy setting are usually based on where the device is in the network and NOT which user us logging onto the PC.

The loopback setting in the computer section says that even though there are no users in the OU, implement the user portion to ANY user who logs onto a computer in the OU. Since I want to implement both GPOs in the same OU I changed the filtering on each from the default, which is authenticated user, to a security group. In my basic testing this worked just fine.  The issue came when I wanted to do both GPOs in the same OU.

Logically I think this should work. For example, if I have a remote PC that the GPOs are being applied to I would think that it should work like this:   Local GPO Computer section doesn't implements because the computer isn't in the security group filter so it should then move on to the remote GPO. This should implement the computer portion since the computer in question is in the security group for this GPO  and then fully implement the user portion since the loopback should be allowed to come into play.

What I am seeing is that the local GPO implements, apparently fully setting the proxy settings to the wrong settings and then the remote GPO implements, but fails to implement the user portion.  In my mind, worse case is that the local GPO, which does implement first, should be overwritten by the remote one which implements second. So, again worse case, is that the local PC's should have the remote GPO's settings.  What's happening is that the local PCs are OK, but the remote one have the local GPO's proxy settings.

I have actually solved it by doing what I suggested to myself above - moving local and remote PCs to their own OUs and applying the policies appropriately.  However, that does require more manual maintenance on our part if PCs move around and since the security groups are created and managed automatically my original approach would be the one I'd like to stick with.
jhyieslaAuthor Commented:
The other comments really didn't address the question and I did use this way of applying the GPOs to solve the problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.