Re: [ActiveDir] Wierdness with IE Proxy GPO settings

Wed, 09 Jun 2004 09:19:40 -0700 



Hi David...

I've seen behavior like this myself.  I've defined a software restriction
policy at the domain level, for when we get a worm in house and i can get
my hands on code.  This is processed before the default domain policy, and
we also have a modified domain policy at that level.

At the OU level, we define proxy settings, as you're trying to do.  When i
enabled the policy at the domain level, with NO user settings at all.
After a couple of hours, the proxy settings at the OU level were getting
"blanked".  Fortunately, i was able to get out of this by disabling the
user settings in the policy.  I need those software restrictions to be
applied to ALL computers that can read it.

So, somehow at the domain level, these act like some of the security
settings, the password settings, etc. Could be a bug, never really had the
time to talk it over with MS, as turning off the user settings calmed the
calls.

 I'm reconsidering putting this policy at the top OU level to see if it
behaves differently, which i'm going to guess it will.

Probably the easiest thing to do is block inheritance.  But then you'll
have to put another policy in with the settings you have in the domain
policy that you wish all to get.  We've stayed away from doing a lot in the
domain-level policies, trying to keep them at the OU level.

We do successfully use loopbacks here for laptops for instance.  We had no
real way to determine a laptop user, as they could log into a workstation
any time.  So have a laptop OU, with laptops, and seperate settings for
connections, and less restrctive on the proxy, auto-config, etc.  As they
travel by nature, they need a bit more freedom.

If you can, I personally would make a seperate policy with the proxy
settings. and apply it at the highest OU you have.  My guess is you can
reverse those settings then easily.

Have fun,
John





|---------+---------------------------------->
|         |           [EMAIL PROTECTED]   |
|         |           Sent by:               |
|         |           [EMAIL PROTECTED]|
|         |           tivedir.org            |
|         |                                  |
|         |                                  |
|         |           06/09/2004 08:45 AM    |
|         |           Please respond to      |
|         |           ActiveDir              |
|         |                                  |
|---------+---------------------------------->
  
>------------------------------------------------------------------------------------------------------------------------|
  |                                                                                    
                                    |
  |       To:       [EMAIL PROTECTED]                                                  
                         |
  |       cc:                                                                          
                                    |
  |       Subject:  [ActiveDir] Wierdness with IE Proxy GPO settings                   
                                    |
  
>------------------------------------------------------------------------------------------------------------------------|





I am having trouble making sense of IE proxy GPO settings.  Any Thoughts
much appreciated.

I have defined the IE proxies in the Default Domain Policy for all Domain
Users.  Everything (IE and other apps that use IE proxy config) works fine
for normal logins.  The Weird things start happening under two situations.
1) if you have an OU that needs a different set of proxies, and 2) if you
have system services that want to go out to the internet for updates (say
Symantec AV and Windows Updates) automatically.

Under situation 1) If you create a new Policy linked to the OU that holds
only computer objects (users in other OUs) and has a bunch of OU specific
settings  both under the Computer and User , and you enable loopback
processing in Replace Mode, all the User settings, like display, themes,
screensaver etc, get applied properly EXCEPT the IE proxy Setting from the
OU policy.  Using the GPMC RSoP the IE proxies are always applied from the
Default Domain Policy even though the Default policy in not set to
enforced.  I have set the Mode to Preference and enabled the computer
setting make proxies per machine rather than Per user. (this strikes me as
a odd setting, as there is nowhere in the computer section to set the
proxies, it only appears as a user setting.)

2)  When we upgraded our SAV to V8.1, live update on member servers stopped
working to the Internet automatically.  If you logged on to the server and
manually launched live update it worked fine.  On of my co-workers tracked
this back to a Symantec bulletin that indicated proxies were the issue.
When you run RSoP on the server for Computer settings only, there is no
user data (and therefore IE proxy settings) shown.  If you run the Modeling
from GPMC on the server for computer settings only without loopback
processing, no IP proxy settings.  With Loopback enabled, low and behold,
IE proxy settings show up.  So the obvious answer is to enable loopback
processing.  Based on my experience in scenario 1, I can say that loopback
processing for IE proxies on an OU specific policy does not work for me.
That would mean I would have to enable loopback processing on the default
domain policy.  Based on our initial lab tests, this does not seem to work.
Even if it did, I am not sure I want to enable loopback on the default
domain policy.


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/






















					Reply via email to