Help to sort out AD push of ie proxy settings

[kennysarmy]

Hi,

Just been looking at how proxy settings are set to clients in the AD policies.

Screenshot attached shows this.

Questions is - do I really need it set in so many places -- seems to me I could just set it in the DEFAULT DOMAIN POLICY and it would all be good....

comments? opinions? thanks

[Ric_]

I wouldn't suggest adding it into the default domain policy... it's just bad practice.

You could just set it in a GPO at your IT Management OU level and at a GPO at your Users OU level.

[RabbieBurns]

I like the way you block out part of the proxy address on all of them and then leave two at the bottom unblocked

[mattx]

Ric has already mentioned not editing the default domain policy, i second that and no doubt many others will agree - don't do it !!!

[kennysarmy]

I like the way you block out part of the proxy address on all of them and then leave two at the bottom unblocked

no doubt i got distracted by another kid forgetting his password lol

[cromertech]

Does this have to apply to the whole domain?

If so you can use an enforced policy at the top and it will propagate down all ou's.

If not then you can do use a non enforced at top and block inheritance on the ou's that do not apply.

See example screen shot

[kennysarmy]

wish I'd not even gone here....broken internet now for all users except my staff....

I unticked the apply proxy policy for those shown on attachment with lines through and only left those in place with boxes around....

If I now do a group policy result on a test pupil account and a workstation it tells me the correct GPO is being applied BUT the details shown for the proxy are from how the policy was 3 months ago
if I then go to that policy to edit it - it shows the correct information...

see attachments called wrong and right

not sure how to trouble shoot this now

[kennysarmy]

I've had to resort to setting proxy setting via logon script and *.reg file.

Some machines are picking up the correct proxy settings via AD, however most are still picking up proxy values that are not even referred to in AD.

I've also noticed a policy that should block students and teachers from running applications from anything other than the shared app directory (program folders etc excepted) is also not being applied so at the moment any student can run software from cd-rom and removal media....

arggghhhh

[mac_shinobi]

We have 2 OU's one for staff and one for students and apply those sorts of settings on those OU's and then have any sub categorys under each of those OU's ie 05, 06, 07, 08 for students as there intake years and then under the staff OU its sub divided in to teaching assistants, teaching staff and whatever else and the gpo settings obviously filter down unless any of the OU's have block inheritance enabled.

[CyberNerd]

I would set this GP to point to a proxy autoconfig pac file because:

a) you only need to set it in one place then change the script if you need to update exception rather than finding the GPO policy each time
b) it works on other browsers such as opera, firefox
c) it is much more flexible if you want users to access internet at home and not go through your proxy - just set a different IP range to return proxy = no

Proxy auto-config - Wikipedia, the free encyclopedia

[krisd32]

gpsettings.JPG

These are my settings as you can see i have narrowed the it down to use per ou rather than telling the user settings 4 or 5 times to do the same thing.

I'd try to remove all the proxy settings from all your policies and create a seperate policy for internet settings and apply it to the seperate ou's that require internet access. then a good gpupdate /force always does the trick!

Kris

[kennysarmy]

I know the theory.

Imagine trying to solve an issue though where the proxy setting being set at
the client by AD is not the settings in the GPO (?)

I run the group policy results wizard and it tells me the winning GPO is X and the proxy setting are Y. Y being the wrong settings - I look in the GPO X and find the settings are Z - the correct settings.

I have two DC's - so a sync issue I hear you say - HOWEVER the settings Y were taken out of both DC's back in the summer when these two NEW DC's were installed and the two old DC's were taken out....

How would you go about solving it?

[kennysarmy]

OK
Progress (sort of)

I know see why the software restriction policy was not working.

It was being applied to the users OU NOT the computers OU and the software restriction policy is a computer restriction.

What I fail to see now is why when I log in I can still run software from a memory stick - surely if it is applied at the computer top level OU and the pc I log in to is in that OU that even I should nt be able to run software from a memory stick...

[kennysarmy]

OK another think sorted.
There is an option hidden in the policy that states the software restiction policy can apply to all users OR all users except local admins.


OK.

But still no luck troubleshooting why a policy is being applied giving certain proxy settings - but when I check that policy it actually has the correct settings.

any ideas?
(i can provide screenshots if you don't believe me lol)