Announcement

Collapse
No announcement yet.

Proxy/Administrative Templates problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Proxy/Administrative Templates problem

    I am attempting to sort out the sending of proxy settings via GP on Windows 7 clients/2008R2. I formerly used the older Internet Explorer Maintenance setting. Recently I updated the server and although careful to not update IE, this method now seems to be failing on new AD bindings. So I began looking at the alternatives. So far, no luck with the registry method. I am now following the Microsoft advice and I have downloaded the latest Templates for 2008R2. Here's the problem. In the central store, there are a lot of older admx/adml files. The newer ones have the same names, but capitalised differently. I saved the GP folder and tried a copy and replace - this caused a lot of errors in GPedit. All I want to do is to access the newer template for setting the proxy. Actual, all I really want to do is set the proxy domain-wide for each machine, but that seems to be something that's not easy to do. I know this topic has been thrashed about however it's a very important issue for me - no proxy - no internet, so if anyone can point me to a solution which they know works, I'd appreciate that. BTW, how do you replace all the Administrative Templates on an exisiting server? Write all new GP objects? Thanks for your time - it's much appreciated.

  • #2
    I feel your pain, as I recently went thru the same issues (went from IE9 straight to IE11). The GP templates don't show/hide the 'Internet Explorer Maintenance' section of the policy editor, that's done inside the GPMC console, itself. So if you've applied all the updates from MS, at some point the GPMC Admin Tool has been updated so that the IE Maint section is no longer there. Once something's been set thru the GPMC, that setting is still visible as it was set when you view the policy, and even after that same section has been removed from the policy editor. But even tho it's being viewed, and applied to the clients, those settings are no longer used by the newer browsers, so don't do anything. And because the editor no longer includes those settings to make changes, you can't delete them from being seen or applied without effect. The only way to rid yourself of them is to create a brand-new policy with the same settings that are still valid, and throw the old one away. I've just had to do exactly that on a customer's system.

    You can set proxy info 1 of 2 ways, but both thru Group Policy Preferences: you can either set 3 reg keys, or you can use the Control Panel GPP to use the same GUI interface that you see when you open up Internet Options. The second option does work, but there are pitfalls with the controls involving whether something is applied, based on color-coding lines beneath each setting. Search for 'f5-f6-f7-f8' and you'll see what I mean. If you intend to change any IE settings aside from the proxy, this is how you'd do it. If you only want to enforce proxy, read on.

    It's far simpler to change the 3 reg keys. If you read the page at this link, these are the same keys I used with immediate success:

    https://www.blackforce.co.uk/2013/12...cy-preferences

    The reg settings are applied per-user, hence the HKCU (HKEY_Current_User) at the beginning of each key, so said policy must apply to a user's OU. Also, there are GP (enforced ) settings under 'Computers \ Admin Templates \ Windows Components \ Internet Explorer' which can help you prevent users from changing the settings you're pushing out. Since GP Preferences can be changed by the users, they could break the settings you push out and cause you more work. Read the MS info on this page to see what I mean:

    https://technet.microsoft.com/en-us/.../cc960614.aspx

    Suppress their ability to change, or just remove the entire tab altogether.

    As for changing / replacing templates: all you do is replace the existing ADMX files in your central store with the newer files of the same name, as well as the language files of the same name in the store's subfolder. When next you open your GPMC, the newer templates are read and the various categories of objects are available to choose from. How much change will be down to the differences between the versions of clients you're managing vs the versions of template files you're using. By all means, copy the old files for safe-keeping before you over-write them, but the case of the letters in the name shouldn't have an affect on which one is read by GPMC. I could be wrong, so someone else sound off if they've got better info.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      I really appreciate that response. Thanks very much indeed. I'll give the per user regedit a shot. Cheers, PK.

      Comment


      • #4
        Originally posted by RicklesP View Post
        I feel your pain, as I recently went thru the same issues (went from IE9 straight to IE11). The GP templates don't show/hide the 'Internet Explorer Maintenance' section of the policy editor, that's done inside the GPMC console, itself. So if you've applied all the updates from MS, at some point the GPMC Admin Tool has been updated so that the IE Maint section is no longer there. Once something's been set thru the GPMC, that setting is still visible as it was set when you view the policy, and even after that same section has been removed from the policy editor. But even tho it's being viewed, and applied to the clients, those settings are no longer used by the newer browsers, so don't do anything. And because the editor no longer includes those settings to make changes, you can't delete them from being seen or applied without effect. The only way to rid yourself of them is to create a brand-new policy with the same settings that are still valid, and throw the old one away. I've just had to do exactly that on a customer's system.

        You can set proxy info 1 of 2 ways, but both thru Group Policy Preferences: you can either set 3 reg keys, or you can use the Control Panel GPP to use the same GUI interface that you see when you open up Internet Options. The second option does work, but there are pitfalls with the controls involving whether something is applied, based on color-coding lines beneath each setting. Search for 'f5-f6-f7-f8' and you'll see what I mean. If you intend to change any IE settings aside from the proxy, this is how you'd do it. If you only want to enforce proxy, read on.

        It's far simpler to change the 3 reg keys. If you read the page at this link, these are the same keys I used with immediate success:

        https://www.blackforce.co.uk/2013/12...cy-preferences

        The reg settings are applied per-user, hence the HKCU (HKEY_Current_User) at the beginning of each key, so said policy must apply to a user's OU. Also, there are GP (enforced ) settings under 'Computers \ Admin Templates \ Windows Components \ Internet Explorer' which can help you prevent users from changing the settings you're pushing out. Since GP Preferences can be changed by the users, they could break the settings you push out and cause you more work. Read the MS info on this page to see what I mean:

        https://technet.microsoft.com/en-us/.../cc960614.aspx

        Suppress their ability to change, or just remove the entire tab altogether.

        As for changing / replacing templates: all you do is replace the existing ADMX files in your central store with the newer files of the same name, as well as the language files of the same name in the store's subfolder. When next you open your GPMC, the newer templates are read and the various categories of objects are available to choose from. How much change will be down to the differences between the versions of clients you're managing vs the versions of template files you're using. By all means, copy the old files for safe-keeping before you over-write them, but the case of the letters in the name shouldn't have an affect on which one is read by GPMC. I could be wrong, so someone else sound off if they've got better info.
        Thanks again, that method worked well. Spent a fun day cleaning up a lot of old GPO - still need to make a few again from scratch to weed out a few errors but very relieved as it was a serious problem i.e. meant no internet for students or staff. Regards, PK

        Comment


        • #5
          Glad it all worked for you!
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment

          Working...
          X