Need help with GPO execution order

I have a GPO that setts the IE proxy settings for all users.  I am about to move users to a non-proxy setup but I want to do this in phases.
I created a second GPO that has the proxy set blank, I added a filter that says only apply to systems in no-proxy security group.

In the OU, I have the No-Proxy GPO as number 1 and the Proxy GPO as number 2.

Even though I put systems in the security group, GPO 1 never seems to be applied. No mention of it in gpresults at all.
LVL 12
Gary DewrellSenior Network AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Krzysztof PytkoSenior Active Directory EngineerCommented:
Could you provide reports from your GPOs for PROXY settings. please?
Please provide output from your configuration by executing below cmd-lets in PowerShell and attach files to analyze here, please.

Code to execute in PowerShell
Import-Module GroupPolicy

Get-GPInheritance -Target "OU=Location,DC=Domain,DC=com" | Out-File gpo-inheritance.log

Get-GPOReport -Name "GPO Poxy Name 1" -ReportType Html | Out-File gporeport-proxy1.html
Get-GPOReport -Name "GPO Poxy Name 2" -ReportType Html | Out-File gporeport-proxy2.html

Get-GPPermissions -Name "GPO Proxy Name 1" -All | Out-File gpo-proxy1-perms.log
Get-GPPermissions -Name "GPO Proxy Name 2" -All | Out-File gpo-proxy1-perms.log

Open in new window


You need to replace GPO names with proper ones and put appropriate distinguished name of an OU where GPO links are linked.

If you need more support in code execution, please let me know.

Thank you in advance.

Regards,
Krzysztof
0
Gary DewrellSenior Network AdministratorAuthor Commented:
See attached files.

Let me explain what I am trying to do.
Currently we have a GPO named iesettings, that setups the proxy settings for all users.
We are decommissioning the proxy server (TMG) and will not be using a proxy going forward.
I created a new GPO named iesettings-noproxy, added a security filter, specifying a group so that this new GPO would only apply to members of that group so that I can do a phased migration.

I am totally open to another way to accomplish this goal.
gpo-proxy-perms.log
gpo-noproxy-perms.log
gporeport-proxy.html
gporeport-noproxy.html
gpo-inheritance.log
GPO.png
0
Krzysztof PytkoSenior Active Directory EngineerCommented:
Let me review logs and I will go back to you.

Krzysztof
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Gary DewrellSenior Network AdministratorAuthor Commented:
Thank you.
0
*** Hopeleonie ***IT ManagerCommented:
I see that IESettings-NoProxy is missing Authenticated Users or Domain Computers under security filtering.

Cause:
This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution:
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

- Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
- If you are using security filtering, add the Domain Computers group with read permission.

Source:
https://support.microsoft.com/en-us/kb/3163622
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Krzysztof PytkoSenior Active Directory EngineerCommented:
Exactly, everything is fine except Security Filtering settings.

Please ensure if you deployed  MS16-072 security update. If so, then you need to add into your new GPO under Security Filtering "Domain Computers" with only "Read" permission.

Since the update, user GPO changed security context from user to computer :/ (as MS explains, this is for security reason).

Please also read Ask Directory Services Team blog entry, which has really good explanation for that at https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

When you do that, wait for SYSVOL replication or force it and then check once again if it is being applied. Additionally verify the output with gpresult command.

If this is still not working, please let us know.

Regards,
Krzysztof
0
Gary DewrellSenior Network AdministratorAuthor Commented:
Will test this morning. Thank you.
0
Krzysztof PytkoSenior Active Directory EngineerCommented:
No problem, you are welcome. Do not hurry, take your time :)
We are here to help each other

Krzysztof
0
Gary DewrellSenior Network AdministratorAuthor Commented:
Well that definitely got me closer! I now see in the gpresult that the GPO was applied. But it is being trumped by another GPO.

I attached two more screen shots.
GPOOrder.png shows that the IESettings-NoProxy is number 1, and enforced.
And that IEsettings is number 6 and not enforced.

My understanding is that the IESettings-NoProxy should win.

Yet looking at the UserGPOResults.png I see that IESEttings won.

What am I missing?
GPOOrder.png
UserGPOResults..png
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.