Policy Won't Apply 4

[aquias]

Hiho all,

Alright I think I'm going to mash my head into a wall soon, so any input is appreciated (even if it's to point out a good point of impact!). I have a 2003 AD setup and running, currently it is only used for Terminal Services as we're a Novell shop.

Now, I got the bright idea that since we're deploying some systems to users with more than questionable habits to join the systems up to the domain and restrict them via GP. Everything applies, all of my other policies apply the only that I cannot get to apply is my policy for the Proxy settings.

I'm adding a policy for

User Configuration\Windows Settings\IE Maintence\Connections\Proxy

I set the proxy server to 0.0.0.0 port 80 and place my exceptions into the system. Apply the rule, run a gpupdate /force (no errors in the event viewer). Log onto the system and have all my policies applied, minus the proxy setting.

I've deleted the local profile on the computer, removed all policies and only had the proxy setting applied, download the updated gpmc and looked at my policy through that as well (it looks fine). I cannot figure out what is blocking the policy from coming down.

Has anyone seen this behavior before? The system is Windows XP SP2, with the Microsoft Antispyware beta installed (even removed that but didn't see any change but at that point I don't recall if I was rebooting between changes or just rampantly swearing).

And as of yet, I haven't tested this policy on another user or system. That will be my next step when I come back to this problem.

Any help, as always, is appreciated. Thanks!

 

[5jgibbs]

can you have an ip of 0.0.0.0??? lol.. i dont think so.. do you mean 10.10.10.0

under the security settings.. there is a GP for "wait for network" maybe you want to try that.. ??

does IE have the proxy setting when you go to the proporties??

if not.. than the GP is wrong.. if so.. then the proxy is wrong..

 

[aquias]

Setting the proxy to 0.0.0.0 will prevent the users from accessing any websites other than those placed in the exception list.

And IE does not have the proxy settings listed, which is what is making me want to bleedin scream. If it held the proxy setting and people still got out I'd be so much happier, I'd be positive of what was wrong then. However, you did point out that I got so focused on one setting I ignored a host of others that aren't set that could be affecting this.

Thankie, I'll poke around a bit more now.

 

[Wishdiak]

aquias,

Have you considered adding Internet Security and Acceleration to your domain controller? You could then set the ISA server as the default gateway and limit browsing from the ISA interface.

Wishdiak
A+, Network+, Security+, MCSA: Security 2003

http://www.wishdiak.com

 

[PScottC]

The policy that you are using applies to users and not computers. So...
1) These users must log on to the Domain
2) The GPO must be linked to the OU that contains the user accounts or an OU above it. If the GPO isn't linked directly to the users' OU, then no policy inheritance blocks can be in place on any OU in between.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[markdmac]

You can set this during logon for your users via a simple script:

Set WSHShell = Wscript.CreateObject("WScript.Shell")
Path="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"
WSHShell.RegWrite path & "ProxyServer","0.0.0.0:80","REG_SZ"
WSHShell.RegWrite path & "ProxyEnable","1","REG_DWORD"

I would advise changing the proxy value from all zeros to a subnet that is not accessible in your organization just to ensure you don't have an illegal value there.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[ITPangaeaArchitect]

always wait for the network at computer startup and logon is the policy setting

also, keep in mind there are two reboots required to apply policy to XP machines without that setting enabled

do you have winlogon logging enabled?
if not enable it, it will tell you everything about your policy applying

also get gpresult /v

if your still having the problem post these and I'll see if I can point ya where to go

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[rmwendwa]

i have been drowning in this same ocean of proxy settings for users using group policy. i will try and use the script solution but i haven't been told what file extension to use for this script and i havent worked with scripts before

 

[aquias]

Well now...that worked...

I had to move the policy to the OU that contained the users, for some reason it wouldn't apply at the higher level.

And in case I'm not explaining this properly the way this container is setup is...

(OU)Restricted Users --->(OU)Users
--->(OU)Computers

I had the proxy policy affecting the Restricted Users OU. I moved the policy to the Users OU and it is now functioning. I cannot tell a lie, I'm just plain confused by that but I'm not about to complain at this point.

Thank you to everyone!

 

[markdmac]

the posted script is a VBScript so the extension would be .VBS.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[rmwendwa]

Everything now works out perfectly using the vbscript you posted markdmac. You have solved my 3 week headache in 30 minutes. thanks

 

[markdmac]

My pleasure. I'm always happy to have an excuse to write a new script.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[aquias]

Mark, that's dangerous to say! I've got a running list of things I'd like to do around here somewhere...gimmie a minute!!!

Sorry, couldn't resist, thanks again to everyone for the help.

 

[markdmac]

LOL!!!

Post your list in a new thread. You never know!

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark