GPP Item Level Targeting for OS not working - All Situations

I am trying to restrict a proxy enable key, which we use on all clients, from servers.    I have just updated our library and can use "OS is not 2012r2" and of course 2008r2.  

 I am very familiar with ILT on GPP and have used it successfully many times.   I have tried numerous combinations of the options, putting the 2 targets OS's in a collection for IS or the opposite OS's for IS NOT,  have changed AND or OR and the settings come into the servers not matter what I have tried.

 I have put in quite  a few hours of research and cannot seem to find anything to go deeper into an issue than what I already seem to have in place and understand.

 Is there any insight this forum may have to something related to this,
NBqueryAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
why not just use a wmi filter that applies only to client o/s's ?
See my article on WMI filtering
Any Windows Desktop OS

select * from Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3")
McKnifeCommented:
Why not? Because ILT is usually quicker and offers the same functions. Read about it here: http://evilgpo.blogspot.de/2014/11/showdown-wmi-filter-vs-item-level.html

NBquery, it could be a different problem. Is it a computer setting really, or a setting from the user configuration part of that policy? The latter would not even apply to computer objects at all.
compdigit44Commented:
Two stupid questions...
1)I you sure the workstations are applying the updated policy?
2) Can the policy be process without a ILT filter?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

NBqueryAuthor Commented:
Thank you all for the comments.  

David, I have used WMI in the past, but I would just prefer to use an available preference item for other people's usage and transparency - let alone it is built in.

McKinfe - I never thought to consider the computer configuration implication or have had the opportunity to read about it only applying to computer configurations.    This is actually a user proxy setting for our web filtering, and since the client is not on the servers, I thought to use this for the clean usage for users on servers.

Compdigit44 - Yes I am certain, when the proxy gets enabled via GPP reg key entry, it disables internet explorer's ability to connect to the internet on the server (I watch the key get updated).

David, I guess WMI has to be a consideration at this point.

I appreciate the articles provided and will do some reading on them now.
McKnifeCommented:
To be sure: please name the registry key that you are changing.
This one: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key: "ProxyEnable" ? Then it's a user policy.
NBqueryAuthor Commented:
I have been reading more, it does not seem to say anywhere that OS ILT does not apply to User items..  I have even read some articles that point to using OS ILT on User items as examples.

To that, I would like to know where I might read that it is not possible since everything I am seeing is to the contrary.
NBqueryAuthor Commented:
Last update - Enabling Loopback processing on the GPO allowed for the OS ILT on a User item to work as expected, it not longer applies to 2012r2 family.

One for the notebooks!

Thanks you all.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Do me a favor, I'd like to know
1 if it was originally configured in the user config or in the computer config part
2 what registry key it was
knowing this, I'll be able to explain why you had to use loopback mode.
compdigit44Commented:
I know an curious to know how the policy was originally configured..
NBqueryAuthor Commented:
Originally, there was simply a User GPP for a registry addition that was created from the wizard without specifying any ILT.  It contained three entries for proxy;  ProxyServer, ProxyOverride, and ProxyEnable.

I wanted to only ILT OS on the Proxy Enable key, just to have this not apply to our Server 2008r2 Family and Server 2012r2 Family as to not turn on Proxy.
NBqueryAuthor Commented:
The comments provided by the other members were incomplete and though factually true, there was a way around it.    I persisted with finding a solution since by all accounts, I could not verify what they were saying was true or not.   In the end, I found a way to resolve it, as I always do.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.