Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Prevent AD from applying proxy setting to certain workstations 5
- Thread starter DTracy
- Start date
-
1
- #2
Torturednacho
MIS
I would create a different OU for these workstation computers. And place them in there, putting the GPO on that OU to not push the proxy.
-
2
- #3
Or simply edit the security of the GPO.
From within the edit screen, right click the GPO. Select Properties. Click the security tab. Note the rights, one of with is APPLY GPO. You can DENY that right to the PCs either individually or as a group. I recommend as a group to minimize your ongoing management.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
From within the edit screen, right click the GPO. Select Properties. Click the security tab. Note the rights, one of with is APPLY GPO. You can DENY that right to the PCs either individually or as a group. I recommend as a group to minimize your ongoing management.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
- Thread starter
- #4
- Thread starter
- #5
Here's my plan:
Three specific workstations do not need internet service but need e-mail. I can accomplish this by setting the proxy to an imaginary value ie: EmailOnly, and then setting an exception for our email service provider. Works like a charm until AD flushes it all away... So I thought that if I could stop AD from applying proxy settings to these three then everything would be copasetic.
Ok?
Thanks,
David
Three specific workstations do not need internet service but need e-mail. I can accomplish this by setting the proxy to an imaginary value ie: EmailOnly, and then setting an exception for our email service provider. Works like a charm until AD flushes it all away... So I thought that if I could stop AD from applying proxy settings to these three then everything would be copasetic.
Ok?
Thanks,
David
-
1
- #6
- Thread starter
- #7
Zelandakh -
When a workstation is first started my login script runs and the AD sets the proxy settings in the Internet Explorer according to my policy. If I manually change these IE proxy settings on a workstation to what I want, the next time the AD refreshes (30 minutes) the proxy is restored to AD policy settings.
What I want to do is stop this process on only the three workstations as described.
Thanks,
David.
When a workstation is first started my login script runs and the AD sets the proxy settings in the Internet Explorer according to my policy. If I manually change these IE proxy settings on a workstation to what I want, the next time the AD refreshes (30 minutes) the proxy is restored to AD policy settings.
What I want to do is stop this process on only the three workstations as described.
Thanks,
David.
If your login script is in a different GPO, then no, checking Deny on the proxy GPO will not interfere. If it is all in one GPO then yes it will stop that processing since the login script is part of the GPO.
I recommend breaking that part out into its own GPO.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
I recommend breaking that part out into its own GPO.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
- Thread starter
- #9
You should probably do a little reading on GPO planning. You can target which machines a GPO will apply to and place those GPOs at the OU or organizational level.
From what you have already described I would have 3 GPOs. One for Internet Access. One for no Internet access. And a third for Shared/common settings.
And take a look at my FAQ on optimizing Group Policies.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
From what you have already described I would have 3 GPOs. One for Internet Access. One for no Internet access. And a third for Shared/common settings.
And take a look at my FAQ on optimizing Group Policies.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
- Thread starter
- #11
Torturednacho
MIS
GPO isn't like NTFS permissions? Deny = no-no ?
-
1
- #14
It is just like NTFS permissions, but it's the only easy way to apply group policy objects via security groups.
I had to do this exact thing a few years ago. I had our main group policy, which applied to all users. It included everything except proxy settings.
Then I made a separate GPO which only contained proxy settings, and applied it to my general user OU (the same to which our main GPO applied). I created a Security Group called "NoProxyGPO", and in the "Delegation" tab, denied the NoProxyGPO group the "Apply Group Policy" right. It worked like a charm.
I also use this method for a terminal server. I have a VERY restrictive GPO (much like one you'd find at a kiosk or in a Bookstore) that applies to terminal servers. I denied our IT staff the right to Apply Group Policy, so when admins log into this server, they do not get the restrictive policy.
Thanks,
Andrew
![[medal]](/data/assets/smilies/medal.gif "[medal] [medal]")
Hard work often pays off over time, but procrastination pays off right now!
I had to do this exact thing a few years ago. I had our main group policy, which applied to all users. It included everything except proxy settings.
Then I made a separate GPO which only contained proxy settings, and applied it to my general user OU (the same to which our main GPO applied). I created a Security Group called "NoProxyGPO", and in the "Delegation" tab, denied the NoProxyGPO group the "Apply Group Policy" right. It worked like a charm.
I also use this method for a terminal server. I have a VERY restrictive GPO (much like one you'd find at a kiosk or in a Bookstore) that applies to terminal servers. I denied our IT staff the right to Apply Group Policy, so when admins log into this server, they do not get the restrictive policy.
Thanks,
Andrew
Hard work often pays off over time, but procrastination pays off right now!- Thread starter
- #15
I've tried the suggested GPO plan using the default policy for the logins as everyone uses the same script. The script solves the differences in drive and printer configuration. Then I made a policy for the NoProxy and applied it to one of the workstations that I want to deny internet service to. It didn't work. When a run a test of the group policy it shows both policies being applied, but the second or noproxy policy seems to be ignored. I've tried several differnet approaches but no joy. Guess I need to re-read the instructions.
Regards,
David.
Regards,
David.
I think you are likely getting stuck at how Computer and User settings are applied. The major distinction is Computer settings are those settings that don't require a user profile to take affect. Pay particular attention to that. Proxy settings are a USER setting. Each user can have a different proxy value on the same PC.
Another way to distinguish this is to know where the GPO setting affects the registry. In the case of the proxy setting it is
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable.
As you can see, those keys are each for CurrentUser.
So if you are applying the policy to a Computer, it won't take affect.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
Another way to distinguish this is to know where the GPO setting affects the registry. In the case of the proxy setting it is
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable.
As you can see, those keys are each for CurrentUser.
So if you are applying the policy to a Computer, it won't take affect.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
![[morning]](/data/assets/smilies/morning.gif "[morning] [morning]")
- Thread starter
- #19
You will be able to identify it by the words Computer Configuration the only other section is User Configuration
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
I hope you find this post helpful.
Regards,
Mark
Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
- Status
Similar threads
- Locked
- Question