none
GPO to specify the use of a PAC file to set the proxy used by Internet Explorer works when applied to an OU but not to a Site object

    Question

  • Ihave configured a Windows 2003 GPO to specify the use of a PAC file in Internet Explorer for clients running Windows XP/IE 8.

    The settings apply correctly when the GPO is linked to an OU.

    Unfortunately the settings do not apply correctly when the GPO is linked to a Site object.

    The problem is that I need to get the GPO working when it is linked to Site objects.  After linking the GPO to the Site object and testing against a machine in that Site, I ran a Group Policy Results Wizard against that test machine and it indicated that my GPO was the winning policy and it detailed the PAC file that should have been set -

    I also ran an RSOP directly on the test client and it too indicated that my site policy was the winning policy and that the PAC file detailed in the GPO is what should be detailed in IE.

    IE just doesn't take the setting when the GPO is linked to the Site object though.  It works fine when the same GPO is applied to an OU.

    Has anyone come across this issue before and managed to resolve it?  Any suggestions on a course of action would be welcomed.

     

    Many thanks

    Dee P

    Friday, October 28, 2011 3:19 PM

Answers

  • Hi All

    I did manage to get this resolved.  The problem was eventually traced to a GPO linked to an OU that was also enforcing the Internet Explorer 'Automatic Configuration' settings.

    It was just unfortunate that the RSOP I ran on the client and the Group Policy Results Wizard were both wrongly informing me that the GPO I had created and linked at Site level was the 'winning policy'.

    The most reliable way of determining the priority of IE policies is to examine the 'install.ins' file in the subfolders of 'C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings'.   If a setting is defined in multiple GPOs, it will appear in multiple 'install.ins' files in different subfolders (Custom0, Custom1, etc.).  IE will enforces the setting from the 'install.ins' file of last custom settings folder.

     

    Regards

    Dee P

    • Marked as answer by Dee P Monday, November 28, 2011 5:08 PM
    Monday, November 28, 2011 5:08 PM

All replies

  • When you are applied that GPO on site lebel, pls check the below points.

    Keep remember

     

    ?  Link Order – the precedence order for GPOs linked to a given container. The GPO link with Link Order of 1 has highest precedence on that container.

     

    ?  Block Inheritance – the ability to prevent an OU or domain from inheriting GPOs from any of its parent container. Note that Enforced GPO links will always be inherited.

     

    ?  Enforcement – (previously known as “No Override”) the ability to specify that a GPO should take precedence over any GPOs that are linked to child containers. Enforcing a GPO link works by moving that GPO to the end of the processing order.

     

    ?  Link Status – determines if a given GPO link is processed or not for the container to which it is linked.

     

    ?  GPO Slow link detection problem(http://grouppolicy.editme.com/SlowLinks).

     

    See the below link.

     

    http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx

     

    1. Make sure that the OU not Block Inheritance.

     

    2. Please check whether loopback policy enabled.

     

    3. Make sure the GPO linked to the right OU, and the test user are in the right OU.

     

    4. Make sure that in the security filtering there is Authenticated users listing.

     

    5. Make sure that the GPO status is enabled.

     

    Controlling the Scope of Group Policy Objects using GPMC

     

    http://technet.microsoft.com/en-us/library/cc786768(WS.10).aspx

     


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Saturday, October 29, 2011 4:23 AM
  • Hi Biswajit

    The Group Policy Results wizard and the RSOP I ran on my test PC/user after applying the site version of the policy confirm that as far as AD is concerned my policy should be working.

    The second screenshot in my original post above is from the Group Policy Results wizard check and it shows that my GPO is the 'winning policy' and it also details the PAC file that should be referenced by IE.

    Unfortunately the setting just isn't populated in IE when the GPO is set on the site object.  It isn't just one site object either - it's any.  I've tested this GPO and other ones referencing different PAC files and they don't work either when applied to site objects.

    The fact that the same GPO works when applied to an OU indicates that there isn't a conflict with the client either since polices applied at both OU and Site level should have a higher priority than any local policies.

    Thanks

    Dee P

    Saturday, October 29, 2011 9:32 AM
  • Deploy the change locally and to find the reg key , you can deploy that key via adm/admx/vb script/gpp. below link may help you for finding the ie reg key.

    http://social.technet.microsoft.com/wiki/contents/articles/internet-explorer-registry-hacks.aspx

    32 bit ie/64 bit ie/32pc/64 bit pc settings are different. There is a problem with 64 bit pc with 32 bit ie.

    Also you can compare the reg key with of xp with win7


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Saturday, October 29, 2011 1:49 PM
  • Thanks - but I don't think that really helps me - I need to deploy almost 30 PAC files across the same number of sites and want to do this using Group Policies.

     

    Kind regards

    Dee P

    Monday, October 31, 2011 1:03 PM
  • Hello Dee,

    The IE Maintenence is a User Configuration and can only be applied to the User objects.

    AD sites will have Computer Objects and the above settings will not apply to them, you need to link this GPO to a OU where User objects are located.

     

    Regards,

    AR

     

     

     


    Best Regards, AR
    Monday, October 31, 2011 8:55 PM
  • Hi,

     

    Generally, the default Group Policy settings are processed in the order: Local Group Policy object, Site, Domain and Organizational units, if no Enforced, Block Inheritance and Loopback features are set. For more information, please refer to the following Microsoft TechNet article:

     

    Group Policy processing and precedence

    http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx

     

    According to the present situation, please make sure there is no policy overwrite the site Group Policy setting.

     

    Hope this helps!

     

     

    Best Regards

    Elytis Cheng

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, November 01, 2011 2:25 AM
    Moderator
  • Hi AR

    The IE settings in question are 'User Configurations' as opposed to 'Computer Configurations' but that doesn't mean that you can't apply these settings in a GPO at site level.  I work in an organisation where we have 27 international offices each with their own AD site objects and we have been using sites polices to specify the use of specific proxy servers in IE for many years and it has never been a problem.  The issue appears to be peculiar to specifying the use of automatic configuration scripts.

     

    Many thanks

    Dee

    Thursday, November 03, 2011 9:57 AM
  • Hi Elytis

    Thanks for the suggestion but the Group Policy Results wizard and the Resultant Set of Policy I ran both indicate that as far as AD is concerned the settings I want populated in IE are working - the problem cannot therefore be to do with blocking of inheritance or interference from loopback policies.

    The Group Policy Results wizard even states that my policy is the winning policy and it details the setting that it thinks IE should be showing.  It just doesn' work in IE.

     

    Kind regards

    Dee

    Thursday, November 03, 2011 10:02 AM
  • Hello Deep,

     

    Any luck? How many GPOs linked to the site in question  here? can you post the gpresult from the computer facing the issue?

     

    Regards,

    AR


    Best Regards, AR
    Sunday, November 20, 2011 11:13 PM
  • Hi All

    I did manage to get this resolved.  The problem was eventually traced to a GPO linked to an OU that was also enforcing the Internet Explorer 'Automatic Configuration' settings.

    It was just unfortunate that the RSOP I ran on the client and the Group Policy Results Wizard were both wrongly informing me that the GPO I had created and linked at Site level was the 'winning policy'.

    The most reliable way of determining the priority of IE policies is to examine the 'install.ins' file in the subfolders of 'C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings'.   If a setting is defined in multiple GPOs, it will appear in multiple 'install.ins' files in different subfolders (Custom0, Custom1, etc.).  IE will enforces the setting from the 'install.ins' file of last custom settings folder.

     

    Regards

    Dee P

    • Marked as answer by Dee P Monday, November 28, 2011 5:08 PM
    Monday, November 28, 2011 5:08 PM