RE: Group Policy Connundrum - Stick with it, its confusing!!!

["Roger A. Grimes" <roger () banneretcs com>]

Jon,

There are lots of ways to troubleshot.

Try running an rsop.msc on the workstation and look at the relevant
results.  

Or you can run gpresult.exe /v >gpresult.txt && gpresult.txt and look at
it in a text file.

Are the correct settings being pushed down? If so, then it might be a
GPO application problem. You can turn on group policy logging and see
what is not being applied, and why. 

If rsop.msc and gpresult show the correct settings, are the correct
registry edits being made under HKCU\Software\Policies?

I'll help you troubleshoot.

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, CISA MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger () banneretcs com or rogrim () microsoft com
*Author of Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*******************************************************************



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jon Petre
Sent: Friday, September 28, 2007 5:09 AM
To: security-basics () securityfocus com
Subject: Group Policy Connundrum - Stick with it, its confusing!!!

Hello List,

I have an issue at a customers site regarding GP that goes a little like
this:

I have created a policy named no internet. I have created a security
group named the same. In this group are so many users based across the
country that I want to limit the internet usage, therefore I have
created a false proxy @ 0.0.0.0 that all their internet use has to pass
through. This gives the expected result where no pages are displayed
regardless of which site the user goes to. I have also created some
exceptions for this policy, which do not use the proxy, i.e.

www.homepageofcompany.com, www.siteiwanttoallow.com,
www.theusercangohere.co.uk.

This is done by setting the 'user configuration > Internet Explorer >
Connection > Proxy Settings > Exceptions'. The desired output is that
user's logon and can access these sites, but any other non specified
site wont work.

----I hope this makes sense so far----

Then by setting the 'Admin Template > Windows Components > Internet
Explorer  > Disable Changing Proxy Settings' to enabled effectively
grays out the proxy settings in internet explorer and stops the user
from altering the settings.

OK, this is where the issues start. When I toggle the 'Admin Template >
Windows Components > Internet Explorer > Disable Changing Proxy
Settings' 
between enable and disable, and update the policy on the local machine
via GPUPDATE, or even from the server by forcing the update, everything
works and the proxy is enabled and disabled as specified.

However, when I try to make changes to  any part of the user config, the
policy does not seem to initialise. What I mean is any sites I add to
the exception list do not appear and the end result is the user can not
access any sites at all. I have logged on and off, and re-booted
workstation all to no effect.

Any suggestions on why the user configuration portion of the Group
Policy does not work would be much appreciated. I am sure all the
permissions are set correctly, i.e. the apply GP settings, read settings
etc. If they wasn't, then surely no part of the policy would work, would
it?

TIA,

Jono

_________________________________________________________________
The next generation of Hotmail is here!  http://www.newhotmail.co.uk