+ Post New Thread
Results 1 to 13 of 13
Windows Server 2008 R2 Thread, GPO Varying by PC in Technical; Hi folks, I have altered a proxy address for IE using the Everyone GPO. The strange thing is that it ...
  1. #1
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    923
    Thank Post
    837
    Thanked 20 Times in 18 Posts
    Rep Power
    11

    Question GPO Varying by PC

    Hi folks,

    I have altered a proxy address for IE using the Everyone GPO.

    The strange thing is that it is processing for some PCs, yet other PCs still have the old settings.

    I've spotted that the Default Domain Policy is 1st in link order, followed by Everyone.

    Any ideas where to start troubleshooting why it is not processing?

    Should I add the change to the Default Domain Policy as well, only put it there, move the link order to start with Everyone, or something else? (I don't know how priority is dealt with in GPOs)

    TIA

  2. #2

    Join Date
    Apr 2011
    Posts
    67
    Thank Post
    14
    Thanked 7 Times in 7 Posts
    Rep Power
    9
    Add proxy settings to the Default Domain Policy and see how that goes.

  3. Thanks to jamesbrown from:

    Gongalong (1st February 2012)

  4. #3

    Join Date
    Apr 2011
    Posts
    67
    Thank Post
    14
    Thanked 7 Times in 7 Posts
    Rep Power
    9
    Just looked at our's and we only have it in Default Domain Policy...

  5. Thanks to jamesbrown from:

    Gongalong (1st February 2012)

  6. #4
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    923
    Thank Post
    837
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    Thanks, will try that.

    I'm not sure if the Everyone policy had been there from the start as a default policy, or added by the previous manager...

  7. #5

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,146
    Thank Post
    919
    Thanked 1,527 Times in 1,038 Posts
    Blog Entries
    47
    Rep Power
    693
    Have you run rsop.msc on an affected computer? It will show you what settings you're getting and what GPO it is getting them from. gpresult run at the command line will also show you what GPOs are applying (although not the settings therein).

  8. Thanks to sonofsanta from:

    Gongalong (1st February 2012)

  9. #6
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    923
    Thank Post
    837
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    What a useful command! (RSOP.MSC that is) The problem is that the student PCs are all restricted with Ranger, so I cannot run anything.

  10. #7

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,146
    Thank Post
    919
    Thanked 1,527 Times in 1,038 Posts
    Blog Entries
    47
    Rep Power
    693
    Quote Originally Posted by Gongalong View Post
    What a useful command! (RSOP.MSC that is) The problem is that the student PCs are all restricted with Ranger, so I cannot run anything.
    You can get it to run against a certain login, so whilst logged on as administrator on your machine, you can give it the computer name and username combination that you're seeing the problem with. See sections 2 & 3 here (running it as a snap in and the following section)

  11. Thanks to sonofsanta from:

    Gongalong (1st February 2012)

  12. #8

    LeMarchand's Avatar
    Join Date
    Jan 2008
    Location
    The deepest pits of hell
    Posts
    2,341
    Thank Post
    315
    Thanked 365 Times in 266 Posts
    Rep Power
    161
    Quote Originally Posted by Gongalong View Post
    What a useful command! (RSOP.MSC that is) The problem is that the student PCs are all restricted with Ranger, so I cannot run anything.
    Could it be one of the many places in Ranger where you can set the proxy that is causing the problem?

  13. Thanks to LeMarchand from:

    Gongalong (1st February 2012)

  14. #9
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    923
    Thank Post
    837
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    Quote Originally Posted by LeMarchand View Post
    Could it be one of the many places in Ranger where you can set the proxy that is causing the problem?
    Never say never, but the place where the proxy is set (Ranger Administrator) is disabled.

    As this is only affecting Student logins I did wonder for a second whether it needed to be in the GPO for the Students OU (I still don't have a great handle on which GPO objects run in which order and/or which take precedence). Having done this though it has made no effect. So the proxy is set in Everyone, Default Domain Policy, and the Students GPO, but still is not being effected.

    I have to leave now, but tomorrow I will test a PC with Ranger removed, just to ensure Ranger isn't causing this. With Ranger removed I should be able to run RSOP.MSC as well and get a handle on what's running.

    Thanks all for the help so far. Much appreciated!

  15. #10

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,146
    Thank Post
    919
    Thanked 1,527 Times in 1,038 Posts
    Blog Entries
    47
    Rep Power
    693
    Quote Originally Posted by Gongalong View Post
    Never say never, but the place where the proxy is set (Ranger Administrator) is disabled.

    As this is only affecting Student logins I did wonder for a second whether it needed to be in the GPO for the Students OU (I still don't have a great handle on which GPO objects run in which order and/or which take precedence). Having done this though it has made no effect. So the proxy is set in Everyone, Default Domain Policy, and the Students GPO, but still is not being effected.

    I have to leave now, but tomorrow I will test a PC with Ranger removed, just to ensure Ranger isn't causing this. With Ranger removed I should be able to run RSOP.MSC as well and get a handle on what's running.

    Thanks all for the help so far. Much appreciated!
    You can check the order just by looking in your GP Management Console - click on the OU in question and one of the tabs will show you the order they are applied in, with GPOs at the bottom (highest number) being applied first and GPOs at the top (lowest number) applying last and therefore overwriting any settings previously applied by another GPO.

    Daft question, but you've not got user configuration disabled on the relevant GPOs have you?

  16. Thanks to sonofsanta from:

    Gongalong (2nd February 2012)

  17. #11
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    923
    Thank Post
    837
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    The problem has been resolved. It was Ranger. There was a confusing checkbox that looked like it needed to be ticked to force the proxy to be used. Despite this not being ticked the proxy was *still* being used.

    Quote Originally Posted by sonofsanta View Post
    You can check the order just by looking in your GP Management Console - click on the OU in question and one of the tabs will show you the order they are applied in, with GPOs at the bottom (highest number) being applied first and GPOs at the top (lowest number) applying last and therefore overwriting any settings previously applied by another GPO.
    Ah yes, I spotted this. But say I have conflicting policies in the Default Domain Policy versus a policy within an OU. Which one wins? Is the OU policy processed last?

    Quote Originally Posted by sonofsanta View Post
    Daft question, but you've not got user configuration disabled on the relevant GPOs have you?
    How would I check that?

  18. #12

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    5,146
    Thank Post
    919
    Thanked 1,527 Times in 1,038 Posts
    Blog Entries
    47
    Rep Power
    693
    Quote Originally Posted by Gongalong View Post
    But say I have conflicting policies in the Default Domain Policy versus a policy within an OU. Which one wins? Is the OU policy processed last?
    In the Group Policy Management Console, expand the tree to find the OU for the object you're troubleshooting (e.g. Main Building >> Library if it's a library PC, or however your AD is configured). Click on that OU and then on the Group Policy Inheritance tab. You'll get a long list there of all the GPOs applying to that OU (and therefore the objects inside). Objects at the bottom of the list (with the higher precedence number e.g. 47) are applied first, and items at the top (with the lowest number i.e. 1) are applied last and therefore overwrite any earlier policies that defined the same setting. If you look at any OU you'll see that it goes from general to specific, so your Default Domain Policy is applied first and is therefore the weakest place to define a setting. Any policies defined on that OU specifically will have the highest precedence, apply last and are therefore the strongest place to define a setting.

    If it helps, it's similar to the way that CSS applies rules.

    You can alter the order somewhat through a combination of targeting GPOs at the right OU level, and using the Linked Group Policy Objects tab (in the same place you're already looking at) to re-order the GPOs applying to that OU specifically.


    Quote Originally Posted by Gongalong View Post
    How would I check that?
    Click the GPO (not the OU like before) and check the Details tab; there's a drop down there for GPO Status that has 4 options - enabled and disabled, and two others that disable one half of the GPO. So if you have a GPO that only applies to computer settings, you should disable the User Configuration Settings and it speeds up the GP processing time at login.


    HTH!
    Last edited by sonofsanta; 2nd February 2012 at 12:45 PM. Reason: spleling

  19. Thanks to sonofsanta from:

    Gongalong (3rd February 2012)

  20. #13
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    923
    Thank Post
    837
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    Thanks! Very helpful. Now to try and remember it



SHARE:
+ Post New Thread

Similar Threads

  1. Deploy Open office through GPO to certain PC's
    By tosca925 in forum Educational Software
    Replies: 4
    Last Post: 8th May 2007, 09:59 AM
  2. Replies: 3
    Last Post: 7th May 2007, 11:49 PM
  3. Auto logoff by GPO?
    By contink in forum How do you do....it?
    Replies: 8
    Last Post: 31st March 2007, 11:12 PM
  4. Deploy an MIS by GPO but stop a reboot
    By tosca925 in forum Windows
    Replies: 3
    Last Post: 3rd October 2006, 09:28 AM
  5. Replies: 6
    Last Post: 20th October 2005, 07:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •