locked
GPO to target IP Range RRS feed

  • Question

  • Hi all

    We have a GPO that should target a certain IP range. If the IP is 10.10.70.x the settings in the GPO should apply. What would be the best way to do this?

    Thanks in advance

    We have Win 7 and XP and 2008 R2 DC's

    Tuesday, April 16, 2013 6:01 AM

Answers

  • No problem, I use item-level targeting for proxy settings but base it on Active Directory site as opposed to IP range.  You'll have to add the registry entries into the Preferences section of the GPO and apply the targeting to that.  I do the same for proxy esclusions.

    Create a string value in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings called ProxyServer with the value set as your proxy server name.

    • Marked as answer by CraMey Wednesday, April 17, 2013 7:30 AM
    Tuesday, April 16, 2013 8:59 AM
  • Edit the GPO and navigate to User Configuration -> Preferences -> Windows Settings -> Registry.  Create a new registry item using the details in my last post.  Then, on the Common tab, enable Item-level targeting and click Targeting.  Click New-Item, select IP Address Range and enter the IP range required.


    • Edited by Dai Webb Tuesday, April 16, 2013 9:34 AM
    • Marked as answer by CraMey Wednesday, April 17, 2013 7:29 AM
    Tuesday, April 16, 2013 9:33 AM

All replies

  • You can use item-level targeting but this only applies to Group Policy Preferences.  On the Common tab of the preference you can click New-Item, select IP Address Range and enter the IP range required.

    What settings are you looking to apply?

    Tuesday, April 16, 2013 7:47 AM
  • Thanks - I want to apply proxy settings for specific users. Settings are in User Config > Policies > Win Settings > IE Maintenance > Connection/Automatic browser config. So in essence, all users with a specific IP must get a certain proxy setting

    Tuesday, April 16, 2013 8:20 AM
  • No problem, I use item-level targeting for proxy settings but base it on Active Directory site as opposed to IP range.  You'll have to add the registry entries into the Preferences section of the GPO and apply the targeting to that.  I do the same for proxy esclusions.

    Create a string value in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings called ProxyServer with the value set as your proxy server name.

    • Marked as answer by CraMey Wednesday, April 17, 2013 7:30 AM
    Tuesday, April 16, 2013 8:59 AM
  • You can make proxy settings per-machine with GPO, furthermore you can prevent end users from change their proxy settings via Group Policy.
    http://social.technet.microsoft.com/wiki/contents/articles/5156.how-to-force-proxy-settings-via-group-policy.aspx
    Tuesday, April 16, 2013 9:09 AM
  • No problem, I use item-level targeting for proxy settings but base it on Active Directory site as opposed to IP range.  You'll have to add the registry entries into the Preferences section of the GPO and apply the targeting to that.  I do the same for proxy esclusions.

    Create a string value in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings called ProxyServer with the value set as your proxy server name.


    I dont understand your recommendation. I cannot use sites as the IP range i want to target is a specific range in a site. It is not the whole site. can you explain based on that how I can do that?
    Tuesday, April 16, 2013 9:27 AM
  • You can make proxy settings per-machine with GPO, furthermore you can prevent end users from change their proxy settings via Group Policy.
    http://social.technet.microsoft.com/wiki/contents/articles/5156.how-to-force-proxy-settings-via-group-policy.aspx

    That shows me how to configure the GPO itself. I know that and have done that. My difficulty comes in to apply it to a specific IP range in a site. Not the whole site. How do i do that?
    Tuesday, April 16, 2013 9:30 AM
  • Edit the GPO and navigate to User Configuration -> Preferences -> Windows Settings -> Registry.  Create a new registry item using the details in my last post.  Then, on the Common tab, enable Item-level targeting and click Targeting.  Click New-Item, select IP Address Range and enter the IP range required.


    • Edited by Dai Webb Tuesday, April 16, 2013 9:34 AM
    • Marked as answer by CraMey Wednesday, April 17, 2013 7:29 AM
    Tuesday, April 16, 2013 9:33 AM
  • Thank you very much Dai - worked like a charm
    Wednesday, April 17, 2013 7:30 AM
  • Just by the way...can a similar reg hack be used to lock down proxy settings in FireFox as they cannot be managed by GPO?
    Wednesday, April 17, 2013 7:31 AM
  • I don't see why not, as long as FireFox stores the settings in the registry.  With item-level targeting all the GPO will do is apply the registry settings if certain conditions are true, it doesn't care what they are.

    Wednesday, April 17, 2013 7:48 AM
  • Am 17.04.2013 09:31, schrieb CraMey:
    > Just by the way...can a similar reg hack be used to lock down proxy
    > settings in FireFox as they cannot be managed by GPO?
     
    By default, Firefox stores settings in prefs.js which requires a
    sophisticated script framework to manage... But you can switch over to
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, April 17, 2013 3:45 PM