Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Prevent AD from applying proxy setting to certain workstations 5
- Thread starter DTracy
- Start date
- Thread starter
- #21
- Thread starter
- #23
Hi Andrew,
Funny you should ask. I had changed my default policy to not set a proxy value. Then I made two ou's, one for proxy and the other for no proxy, and corresponding policies with loopback set to replace. I moved the three workstations into the no proxy policy, and everyone else into the proxy policy. The whole thing seemed to be working nicely for several hours, then things started getting strange. Logins were taking forever, internet connections were slow or not at all. Everything really went South. So I deactivated the two new policies and changed the default policy back to giving a proxy. Things calmed down and started working again.
I've been reading agout group policy problems ever since.
I think my problem is with those three workstations that I want to block the proxy on. The thing is that the people who log onto these no proxy workstations also have to log onto proxy workstations as well with their same accounts.
I'll keep reading, sooner or later I'll come up with something.
I do appreciate all you help though, I understand this kind of thing can sometimes take a lot of time and effort.
Thanks again,
David.
Funny you should ask. I had changed my default policy to not set a proxy value. Then I made two ou's, one for proxy and the other for no proxy, and corresponding policies with loopback set to replace. I moved the three workstations into the no proxy policy, and everyone else into the proxy policy. The whole thing seemed to be working nicely for several hours, then things started getting strange. Logins were taking forever, internet connections were slow or not at all. Everything really went South. So I deactivated the two new policies and changed the default policy back to giving a proxy. Things calmed down and started working again.
I've been reading agout group policy problems ever since.
I think my problem is with those three workstations that I want to block the proxy on. The thing is that the people who log onto these no proxy workstations also have to log onto proxy workstations as well with their same accounts.
I'll keep reading, sooner or later I'll come up with something.
I do appreciate all you help though, I understand this kind of thing can sometimes take a lot of time and effort.
Thanks again,
David.
- Thread starter
- #25
In that case, you should not need loopback processing on the "yes proxy" GPO.
You only need it turned on for the GPO you have applied to the "NO PROXY" gpo, and it should be set to "replace".
This is a way I could see to set it up, and should work.
Imagine you have a OU structure like this:
|--Company <-----CompanyGPO
|--Users
|--Computers
|--NoProxy<-----ProxyOverrideGPO[/color]
You apply CompanyGPO to the Company OU. This would contain all the computer/user settings that you want under normal circumstances. This would, by default, fall through to all child OU's.
You can leave the Users and Computers OU's alone. No need to set policies on them directly, as they were set above.
Then, below the Computers OU, there is a NoProxy OU. You create and apply a policy called ProxyOverrideGPO to that OU. In the Computer Configuration section of that new gpo, turn on User Group Policy loopback processing mode in Replace mode.
Then you can enable the proxy settings to show blank (in the User Config section).
This should override only the proxy setting for users, whenever they log into a COMPUTER in the NoProxy OU. You may be getting your delays on logon if you have Loopback mode turned on for your general user or computer OU.
Make sense?
Thanks,
Andrew
![[medal]](/data/assets/smilies/medal.gif "[medal] [medal]")
Hard work often pays off over time, but procrastination pays off right now!
You only need it turned on for the GPO you have applied to the "NO PROXY" gpo, and it should be set to "replace".
This is a way I could see to set it up, and should work.
Imagine you have a OU structure like this:
|--Company <-----CompanyGPO
|--Users
|--Computers
|--NoProxy<-----ProxyOverrideGPO[/color]
You apply CompanyGPO to the Company OU. This would contain all the computer/user settings that you want under normal circumstances. This would, by default, fall through to all child OU's.
You can leave the Users and Computers OU's alone. No need to set policies on them directly, as they were set above.
Then, below the Computers OU, there is a NoProxy OU. You create and apply a policy called ProxyOverrideGPO to that OU. In the Computer Configuration section of that new gpo, turn on User Group Policy loopback processing mode in Replace mode.
Then you can enable the proxy settings to show blank (in the User Config section).
This should override only the proxy setting for users, whenever they log into a COMPUTER in the NoProxy OU. You may be getting your delays on logon if you have Loopback mode turned on for your general user or computer OU.
Make sense?
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!- Thread starter
- #28
Well you can only have a computer account in one OU at a time.
You'd move your machines on which you do not want the proxy setting applied into the NoProxy OU.
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!
You'd move your machines on which you do not want the proxy setting applied into the NoProxy OU.
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!Also, I was mistaken, as you should use the Merge option, not the Replace option in Loopback processing mode. See the descriptions below:
-- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
-- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!
-- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
-- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!Here's the Merge option with some info from our example injected. May make it a bit more clear.
-- "Merge" indicates that the user settings defined in the computer's Group Policy objects (ProxyOverrideGPO) and the user settings normally applied to the user (CompanyGPO) are combined. If the settings conflict (Proxy Settings), the user settings in the computer's Group Policy objects (ProxyOverrideGPO) take precedence over the user's normal settings (CompanyGPO).
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!
-- "Merge" indicates that the user settings defined in the computer's Group Policy objects (ProxyOverrideGPO) and the user settings normally applied to the user (CompanyGPO) are combined. If the settings conflict (Proxy Settings), the user settings in the computer's Group Policy objects (ProxyOverrideGPO) take precedence over the user's normal settings (CompanyGPO).
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!- Thread starter
- #32
That was the question I was just going to ask. I have read the definition about ten times and the Merge didn't seem to do anything.
I'll try this and see what happens. The worst would be about 110 angry phone calls...no worries
Thanks Andrew,
David.
I'll try this and see what happens. The worst would be about 110 angry phone calls...no worries
Thanks Andrew,
David.
FYI, the Default Domain Policy should only be edited for setting password settings. Other than that, leave it alone and make new policies for any other settings.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
- Thread starter
- #35
To conclude this thread –
I couldn’t get the GP and AD to do exactly what I wanted, so...
I set the default domain policy to not issue a proxy server and unlinked all other policies.
I then rewrote the login script to allow for the installation of proxy settings to all workstations at startup except the three workstations that needed the proxy set to email only. Works like a charm.
Thanks again to all that offered assistance to resolve my problem. Perhaps this could have been resolved through GPO, but not by me at this time. I'm not giving up, just deferring to a later date.
Best regards,
David.
I couldn’t get the GP and AD to do exactly what I wanted, so...
I set the default domain policy to not issue a proxy server and unlinked all other policies.
I then rewrote the login script to allow for the installation of proxy settings to all workstations at startup except the three workstations that needed the proxy set to email only. Works like a charm.
Thanks again to all that offered assistance to resolve my problem. Perhaps this could have been resolved through GPO, but not by me at this time. I'm not giving up, just deferring to a later date.
Best regards,
David.
- Status
Similar threads
- Locked
- Question