Windows MCSE Guru's, a question about Domain Policies

[XT]

I’m having some problems and hoped that some MCSE type 'dopers might be able to tell me what I’m doing wrong here. First I’ll describe the problem I’m trying to solve and then I’ll describe how I’m trying to solve it. If there is a better way to do what I’m trying to do feel free to tell me…I’m not an MCSE nor do I play one on TV. My expertise, such as it is, is on the security and infrastructure side of things, and Microsoft NT is definitely not my bag of tea.

The problem I’m trying to solve is this…I want to punch down proxy settings to 1000 work stations that the customer has. Currently they are doing this the old fashion (and frankly crazy) way…they are manually putting in the proxy settings into IE! I’ve been tasked by the customer to basically roll out a new series of proxy settings (I’m putting in their new firewall/proxy gateway and have designed their new logical addressing scheme) as well as some other things.

So…here were my thoughts on doing this. I am attempting to use the domain group policies part of Windows 2003 server to essentially put in a policy that will punch down the proxy settings desired to each work station. I had considered simply writing a VB script to make a registry modification initially, but this seemed to much like work to me. Anyway, using GPM I have created and linked a new policy (they are currently using a single policy in the server OU for stuff like their password policies and such) into their main user OU. In this policy using the GPO I have basically the User Configuration/Windows Settings section and Internet Explorer Maintenance section made modifications to the Proxy Settings section (as well as a few other settings).

Seems like a no brainer to me. Problem is…it doesn’t seem to work. I must be doing something wrong here…but I have no idea what it is. When I go back to the GPM and view the new GPO under settings…well, it’s all in there just the way I thought it should be. According to the GPM the new GPO SHOULD be being applied (i.e. Link Enabled and Enforced)…but logging in as any of the users in the OU basically gives me nothing. The new proxy settings aren’t being propagated.

I know the GPO is being applied however because I put in a .adm change to allow the customer to shut down the use of USB and CDROM drive usage (another requirement of the customer…again, they are currently doing this manually), and this part seems to work fine.

So…what am I doing wrong here? Or better yet…how do I accomplish what I’m trying to accomplish here using Group Policies (or any other way if you know a better one)?

Thanks in advance for any help you guys can provide here.

-XT

[SlickRoenick]

If you go to command line and type “gpresult” does it say that the GP is filtered out? As far as i can tell you are doing it right, even though the Enforced part is a big overkill for just a single GP. Assuming its scope is Authenticated Users, have you tried explicitly listing a user and/or workstation in the scope to see if it makes a difference (even though it shouldn’t, i’m grasping at straws myself).

[XT]

Yes, I’ve tried giving explicite rights to domain users (and even individual test users). And yes, I’ve tried to put the test PC in the OU (though I realize I shouldn’t have to do this). I haven’t tried gpresult from the command line…I didn’t know about that one to be honest. I’ll give it a shot tomorrow.

And yeah, I know Enforced is overkill…I was grasping at straws myself.

BTW, appreciate your thoughts on this.

-XT

[Dervorin]

What version of Windows are the workstations running? There are domain policy settings in Windows 2003 Server that Windows 2000 ignores. I’m not sure if these particular policies are part of that set, but it’s worth investigating. Also, have you tried to reapply the policy from the command line? (gpupdate /force)

[si_blakely]

Have you done a gpupdate /force on the client? <oops - too slow>

Also, look at the Resultant Set Of Policies MMC snap-in.

Si

[Quartz]

Another brute force way is to push out the registry line in the login script.

[GSV_Consolation_of_Dreams]

MCSE for 2000 and 2003 here. I don’t do much with GPOs at the moment but I cn think of a few things that could be going wrong:

> Your users and PCs could be in a sub-domain of the one in which you created the policy. Sub-domains do not inherit GPOs from their parents.

> Make sure you link the policy using the domain’s PDC emulator. Then make sure that other DCs have replicated it as well.

> You may not have given the Authenticated Users group both Read AND Apply Group Policy permissions. Alternatively, you may have set an explicit deny on either of those two for some group/s.

> You may have inadvertently set the GPO link to ignore the User settings portion of the GPO.

> You may have linked a User settings GPO to an OU containing Computer accounts, or vice versa.

Log on as a user who should be affected and then run the command GPRESULT to get a read out of all policies applied to the User and the PC.

You can use GPUPDATE /force to force an update rather than waiting for Windows to do it.

Use the Resultant Set of Policy wizard in Windows Server 2003. It’s like GPRESULT but from the server point of view.

Windows is fun

[Wakinyan]

Youre experience is not uncommon. I’ve been working with Active Directory and Group Policy full time since 2000, and it is my first and second hand experience that the settings in Internet Explorer Maintenance are close to useless, simply because they apply arbitrary. My recommendation is that you drop that and find another way solve your problem.

[XT]

Lots of good replies…my thanks!

To answer some of the questions raised:

Version of Windows on the workstations is XP Professional.

No, I haven’t tried gpupdate /force…I’m not as familiar with the CLI’s as I should be. As I said, I’m not an MCSE nor do I play one on TV. I’m passingly familiar with the OS, but mainly in terms of making it do the things that I do (i.e. security and infrastructure). I will give that and the other CLI suggestions a try today. I have until Saturday to work this all out…that’s when the roll out starts. I guess I don’t REALLY need to sleep this week.

I’m not sure exactly what a ‘sub-domain’ is…but I rather doubt these guys have one. Their tree structure is definitely no frills. The users are all in their own OU (called prosaically enough ‘Users’) and the computers are all in the Computers OU. That is basically it. I have tried to put the linked GPO in both the Users and Computers OU…as well as create my own OU and put a test user and computer into that. None of these things seems to have any effect, though as I said the other parts of the policy dealing with shutting off the USB and CDROM seem to work fine every time.

I did check domain replication and all that seems to be working fine. They have 4 DC’s and an Exchange server, and again it’s a pretty no frills setup.

IIRC I did give Authenticated Users Read and Apply Group Policy permissions but I will certainly check that when I get back to the customers site.

Windows is definitely NOT fun!

[QUOTE=Wakinyan]
Youre experience is not uncommon. I’ve been working with Active Directory and Group Policy full time since 2000, and it is my first and second hand experience that the settings in Internet Explorer Maintenance are close to useless, simply because they apply arbitrary. My recommendation is that you drop that and find another way solve your problem.
[/QUOTE]

I’ve never heard that before. :smack: Well, the only fall back I have is to basically insert the correct registry keys via VBS. Do you know another way? I hate to screw with the registry that way…it always makes me nervous since I have only a tenuous grasp of all of the ramifications.
Thanks everyone for the help! Appreciated.

-XT

[GSV_Consolation_of_Dreams]

[QUOTE=xtisme]
Lots of good replies…my thanks!

To answer some of the questions raised:

Version of Windows on the workstations is XP Professional.

No, I haven’t tried gpupdate /force…I’m not as familiar with the CLI’s as I should be. As I said, I’m not an MCSE nor do I play one on TV. I’m passingly familiar with the OS, but mainly in terms of making it do the things that I do (i.e. security and infrastructure). I will give that and the other CLI suggestions a try today. I have until Saturday to work this all out…that’s when the roll out starts. I guess I don’t REALLY need to sleep this week.

I’m not sure exactly what a ‘sub-domain’ is…but I rather doubt these guys have one. Their tree structure is definitely no frills. The users are all in their own OU (called prosaically enough ‘Users’) and the computers are all in the Computers OU. That is basically it. I have tried to put the linked GPO in both the Users and Computers OU…as well as create my own OU and put a test user and computer into that. None of these things seems to have any effect, though as I said the other parts of the policy dealing with shutting off the USB and CDROM seem to work fine every time.
[/QUOTE]

Your description suggests you don’t have to worry about subdomains, (domains can be nested in parenn child relationships like OUs, but the child domains don’t inherit policies)

When you look at your GPO, it has 2 sections, User Settings, and Computer settings. The User settings will only be applied to Users caught within the scope of the GPO link (and having read and apply group policy rights naturally), and the Computer settings get applied to Computers. If you make the changes in the User settings part, you must link the policy to an OU containing Users, or nothing will happen.

To save time in the application of policies during boot-up and/or login, either part of the GPO can be skipped entirely, which is useful when there are no settings specified in it. Right click on the policy and select Properties, you should see the relevant options there.

Curious to find out what the results are of a GPRESULT and GPUPDATE /force I never had any issues with IE settings via Group Policy whenever I dealt with it.

[XT]

Only have a brief second here between meetings. I tried GPRESULT but got a .dll missing error and it essentially blew up. I am assuming I was to run this from the test machine (which is just one of the machines in the domain). I only had a few minutes to test this however so I plan to go back this evening and check it out in more detail. I did run GPUPDATE /force and that seemed to run fine, though it didn’t actually seem to do anything.

Running between meetings atm but wanted to again say I appreciate the help on this one. You guys have given me a lot to try out and I intend to do so tonight.

-XT

[PuddingCat]

Have you set the IE policy to use preference mode? IE is notoriously bad to configure via GPO. Have a read through this article. How to use Group Policy Objects to set advanced settings - Browsers | Microsoft Learn

Also, output of gpresult would be very useful. If you have execution problems try installing the Support Tools on the test host (Support Tools are in the support folder on the Server OS CD). I’m guessing your problem is likely preference mode though.

tim

[XT]

I’ll be going back out to the customer site tomorrow morning early and I’ll give it a try. I’ve printed out the article you linked to and I’ll read through it in my copious spare time this evening. I’m getting all the other parts prepped for this deployment today. We have essentially 48 hours to get it all lined up, tested and working before we start the deployment on Monday night of the new firewall and logical addressing scheme.

-XT