RE: Group Policy Connundrum - Stick with it, its confusing!!!



If you haven't already done so, try running the Group Policy Results tool
from the GP MMC. That will tell you what settings are being applied from
your various policies, and what settings are ultimately "winning" due to the
order of precedence. One possibility is that you have two conflicting
policies, and the end result is that your policy to restrict enabling and
disabling the proxy settings is being applied and is "winning," but your
exceptions to the proxy rule are being overwritten by another policy that
has a higher precedence. I'd look at that, for starters.

Devin

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Jon Petre
Sent: Thursday, September 27, 2007 6:50 PM
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Group Policy Connundrum - Stick with it, its confusing!!!

Hello List,

I have an issue at a customers site regarding GP that goes a little like
this:

I have created a policy named no internet. I have created a security group
named the same. In this group are so many users based across the country
that I want to limit the internet usage, therefore I have created a false
proxy @ 0.0.0.0 that all their internet use has to pass through. This gives
the expected result where no pages are displayed regardless of which site
the user goes to. I have also created some exceptions for this policy, which
do not use the proxy, i.e.

www.homepageofcompany.com, www.siteiwanttoallow.com,
www.theusercangohere.co.uk.

This is done by setting the 'user configuration > Internet Explorer >
Connection > Proxy Settings > Exceptions'. The desired output is that user's
logon and can access these sites, but any other non specified site wont
work.

----I hope this makes sense so far----

Then by setting the 'Admin Template > Windows Components > Internet Explorer
Disable Changing Proxy Settings' to enabled effectively grays out the
proxy settings in internet explorer and stops the user from altering the
settings.

OK, this is where the issues start. When I toggle the 'Admin Template >
Windows Components > Internet Explorer > Disable Changing Proxy Settings'
between enable and disable, and update the policy on the local machine via
GPUPDATE, or even from the server by forcing the update, everything works
and the proxy is enabled and disabled as specified.

However, when I try to make changes to any part of the user config, the
policy does not seem to initialise. What I mean is any sites I add to the
exception list do not appear and the end result is the user can not access
any sites at all. I have logged on and off, and re-booted workstation all to
no effect.

Any suggestions on why the user configuration portion of the Group Policy
does not work would be much appreciated. I am sure all the permissions are
set correctly, i.e. the apply GP settings, read settings etc. If they
wasn't, then surely no part of the policy would work, would it?

TIA,

Jono

_________________________________________________________________
Get Pimped! FREE emoticon packs from Windows Live -
http://www.pimpmylive.co.uk



Relevant Pages

  • RE: Remote Assistance not working
    ... I have tried these settings you recommend with no results. ... I have yet to get the offer remote assistance to work when launched from the ... The Group Policy on the computer of the novice user must be configured ... Start the Microsoft Management Console Group Policy snap-in. ...
    (microsoft.public.windows.server.sbs)
  • Re: Parts of GPO not working.
    ... If your users use other browsers like firefox from an usb stick/drive or whatever medium your policy will not help. ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Parts of GPO not working.
    ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: scripted logon
    ... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)