Thursday, March 1, 2007

Set Proxy Setting via Group Policy

If a user does not have a mandatory profile set then they cannot connect to the internet. the reason being that the school proxy seetings have not been set. I am trying to do this via group policy.

I have created a test Organisation Unit (OU) with a test group policy and in this

Under User Configuration>Window Settings>Internet Explorer Maintenance>Connection>Proxy Settings I have enabled proxy settings and entered our proxy server and port number.

I have created a user teacher. This user has no fixed profile so on initially logging onto the computer it has a proxy setting of "Automatically Detect Settings"

I have now moved the test computer under the test OU and rebooted a couple of times.

I checked in the event log and the "Application Management" event indiacted that "changes to software installation settings; were applied successfully"

Checked the proxy settings and they had not been set."

I removed another group policy below the test one that was there.

Rebooted again

Strange!! Automatically Detect settings is ticked Use automatic configuration is ticked and has a config file. Proxy Server Settings are set correctly.

Reboot to confirm

Back to having just Automatically Detect settings ticked. With the previous Strange happeneings
the event viewer had not shown "software settings applied successfully"

Let the troubleshooting begin



Need to know what policy settings are in effect.

Tools that you can use to see what policy is in effect include Resultant Set of Policy and gpresult
You can also get a report on policy from Help and Support Center by following these steps:
1. Click the Start button, and then click Help and Support.
2. Click Support.
3. Under See Also, click Advanced System Information.
4. Under Advanced System Information, click View Group Policy settings applied.
The report includes User name and domain; Computer name and domain; When User Settings and Computer Settings were last applied; Folder redirection details; Logon, logoff, startup and shutdown scripts; Installed software; and Administrative Templates. The report also gives information about Security Settings, and connection and proxy settings for IE Maintenance.

This showed that the last time group policy was applied was Yesterday???

Ok so I refreshed the Group policy by running gpupdate at the command line of the test PC.
It indicated it had succesfully completed.

However the Last time the group policy was updated still showed yesterday. The proxy settings now show nothing. i.e Automatically detect settings is now unset so there has been a change.

Alright now this is annoying me. Lets get serious

Enable verbose logging on XP
1.Click Start, click Run, type regedit in the Open field, and then click OK
2.Locate and then double-click LogLevel under the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
3.On the Edit DWORD Value window, click to select Hexadecimal on the Base pane. 4.
Type 0000FFFF in the Value data box.
5.Click OK.

Thye size of the setupapi file did not change and there were no entries for today despite numerous reboots!!!!!!

Trawling the net for hours has come up with the goods.

I moved the computer account under the test OU. The settings I was trying to apply from the GPO were for the User. Hence I had to move the user under the test OU and guess what it worked.

A fundamental misunderstanding on my behalf.

No time to celebrate this achievement.

If I remove the proxy settings then they are not added back with a logoff or a reboot.!!!

This behavior occurs because Internet Explorer security settings in Group Policy that has not changed are not to be applied to a user, even if the user has changed the same security settings in the local browser. If you change the local security settings, the settings in the local registry are overwritten.

To resolve this behavior, force the Internet Explorer settings in a Group Policy to always rewrite the appropriate registry keys when the user logs on to the computer:
1.On a domain controller, open the Active Directory Users and Computers snap-in.
2.Right-click the domain name, and then click Properties.
3.Click the Group Policy tab, click the default domain policy, and then click Edit.
4.Expand Administrative Templates under Computer Configuration in the Tree pane.
5.Expand System under Administrative Templates, and then click Group Policy.
6.Click Internet Explorer Maintenance Policy Processing in the Policy pane.
7.Double-click Internet Explorer Maintenance Policy Processing to open the properties for Internet Explorer Maintenance Policy Processing.
8.Click Enable on the Policy tab, and then click Process, even if Group Policy objects have not changed.
9.Click OK to set the policy.

The proxy settings are still mot being update!!!

You may experience the following issues when you try to apply a Microsoft Internet Explorer or a Windows Internet Explorer Maintenance policy to a client computer:

The policy is only applied one time.

The policy is not reapplied when you log on, even if you have enabled the "Process even if the Group Policy objects have not changed" setting.

The policy does not respond to the GPUPDATE /FORCE command.

The Internet Explorer Maintenance policy is probably running in preference mode. Preference mode is designed to provide initial settings to a user without enforcing them.


1.Open the Group Policy Object Editor snap-in. To do this:
a. Click Start, click Run, type mmc in the Open box, and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. Click Add.
d. Click Group Policy Object Editor, and then click Add.
e. Click the target Group Policy object (GPO). The default GPO is Local Computer. Click Browse to select the GPO that you want, and then click Finish.
f. Click Close, and then click OK.
2.In the console tree, expand the GPO, expand User Configuration, and then expand Windows Settings.
3.Right-click Internet Explorer Maintenance, and then click Preference Mode.

What a roll. Works beautifully. This will allow users with laptops to change the proxy settings when they go home and automatically be changed back when they log in at work.

Not so good. It works sometimes and someteimes it doesn't. Some computers always work some don't work. What a mess.

Will begin to troubleshoot what looks hopeless.

My laptop appears to work successfully.

So I will start to try and find differences.

I have noticed that when I rebooted a computer that was not working this morning 20/03/07

I checked in the event log and the "Application Management" event indiacted that "changes to software installation settings; were applied successfully" Why would this have appeared when I had made no changes.

On computers that were working this was not there.

As part of the investigation I wanted to know what was a

Local Group Policy Object

Local Group Policy Objects (LGPOs), on the other hand, are much simpler, because there is exactly one LGPO on each Windows 2000 or later computer on your network. In an Active Directory environment, LGPOs have the lowest precedence and are always processed first if they have been configured, and so the result is that LGPO settings are usually overwritten by GPOs linked to domains, sites, or OUs. As a result, you usually won't need to configure LGPOs unless you have stand-alone computers that belong to a workgroup. Another scenario in which LGPOs might need to be configured would be kiosk machines configured in a stand-alone environment for public users to access.

The simplest way to configure the LGPO on a Windows 2000 or later computer is by choosing Start -> Run -> gpedit.msc -> OK. As shown in Figure 1 below, this opens the Local Computer Policy in the Group Policy Object Editor.

As a final observation, note that Microsoft says in its documentation that every Windows 2000 or later computer has exactly one LGPO and that this LGPO is stored in a hidden folder named %windir%\system32\Group Policy. This is not quite true, however, as I discovered recently when I worked as tech reviewer for Microsoft Press on the upcoming Microsoft Windows Group Policy Guide. It turns out that this %windir%\system32\Group Policy folder doesn't actually exist on a computer until you first open the GPOE to edit Local Group Policy on that machine. Thus initially there is no LGPO at all on a Windows machine until you decide to configure local policy on the machine using the GPOE.

Trying to pin where the problem occurs is nearly hopless as there seems to be no pattern.

I was working on my laptop and the Internet was working. Went to access a site 10 minutes latter and found I could not access an external site. Checked my proxy seetings and found that
"Use a Proxy Server" was unticked.

By running gpresult we have found that the Computer and User Group Policy settings are updated about every ninety minutes.

Once the setting is lost you can either manually tick the box or a reboot(sometimes) two fixes the problem.

Some interesting info

By default, Group Policy is refreshed every 90 minutes with a randomized delay of up to 30 minutes, for a total maximum refresh interval of up to 120 minutes. This interval can be changed using the computer policy setting Group Policy refresh interval for Computer located in the Computer Configuration\Administrative Templates\System\Group Policy namespace

Ok the problem has been fixed we are 99% sure. Thank God for that.

Replication between the domain server and the secondary server was not working and had not been for some time. Hence the changes we made to group policy were being applied on our domin server and not to our secondary server. Why the random nature? Where a computer gets its policy information is done I believe on a load balancing algorithim. Hence sometimes you will get the correct group policy information from the domain server and sometimes you will get the incorrect (outdated) information from the secondary server.A gpresult actually shows which machine it has compiled your policy information from.

The secondary server has been switched off until the replication issue is rectified.

THE END. (I pray)

No comments: