Re: inconsistant proxy settings

Hi We have a similar issue and I made a little progress, but I still can't
figure out how to fix it....
We have inconsistencies with proxxy server settings on citrix/teminal
servers after disabling the group policy. Think it has to do with the shadow
keys since proxy server settings are HKCU settings.


We had a similar group policy, loopback/merge, set the proxy server settings
in IE and pushed all of our users through a proxy server. We disabled that
group policy because we had an architecture change on our network and have a
transparent proxy server and no longer need to direct IE to a proxy server.
The registry keys that an IE group policy sets to apply proxy server
settinsis HKEY_CURRENT_USER settings:
HKCU\Software\Microsoft\Windows\Current Version\Internet Settings
Keys
ProxyEnable=(1)
1 enables the “user proxy server” check box in IE. A registry key of 0 is
the dfault. That is when the check box is not checked.
ProxyServer=x.x.x.x
I noticed that some Citrix Users are still going through the proxy server in
IE even though the Group policy is disabled. I searched the registry and
found another location where the proxy server is set:
HKLM key at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal
Server\Install\Software\Microsoft\Windows\Currenet Version\Internet
Settings\Proxy Enable

The proxyenable and proxyserver keys are still enabled here even though the
group policy is disabled. The Terminal server is remembering these keys.

Looking at this link I think there is in issue with setting proxy server via
group policy and an interaction with
Change user /install and change user /execute
http://www.brianmadden.com/blogs/brianmadden/archive/2004/08/03/how-applications-use-the-registry-in-terminal-server-environments-part-2-of-3.aspx

I think that if the citrix/terminal server is in install mode and the group
policy settings for proxy server get shadowed from the HKCU that gets the
policy in to the HKLM location, then it propagates to other users depending
on the time stamp of the key.

What I can’t figure out is how to change the “proxyenable” value in the HKLM
shadow key from a “1” which is enabled to a “0” which is disabled, and then
have this synch back to any subsequent user that logs in so their hkcu
“enableproxy” key turns back to a “0” and they no longer use the proxy.


"BFH" wrote:

Not yet, but I will the next time it happens (so far, I've just fixed them
when they call). I created a new user with the same settings in the same OU
as one who had the problem, and tried to recreate, but it didn't happen
(yet). I'll post again as soon as I can run RSOP

"Jeff Pitsch" wrote:

Typically because the filter is set wrong for the GPO. Have you run an
RSOP for those users?

Jeff Pitsch
Microsoft MVP - Terminal Services

BFH wrote:
Win2003 DCs, Win2003 TS. Terminal server is in it's own OU, GPO with
loopback processing applied, merge mode. Users in a different OU. Some
users also have local PCs, in another OU.

Some users, but not all, have a GPO that directs them to go through a proxy
server to the internet. This proxy is set "per-user." This works
consistently on individual PCs, and when those users who are supposed to be
proxied log into the TS, the GPO applies properly. But some users who are
not supposed to be proxied log into the TS and somehow get configured to go
through the proxy- which, due to its rule base, prevents them from getting to
the Internet.

I know I could rethink the rulebase and "fix" this, but I'm really wondering
if anyone knows why IE, or a GPO, or whatever, would do this.

.

Relevant Pages

  • RE: Stop browsing the web through GP?
    ... Internet Explorer settings are configurable through Group Policy. ... You can try pointing the proxy server to a non existent IP address and then completely lock down IE so they can't change any settings. ... Captus Networks ...
    (Security-Basics)
  • Re: need help finding registry keys
    ... However, Group Policies DO supersede these settings, and in a subsequent post, I told the OP how to go about finding the policy items in the 'Group Policy Editor' - which, I feel, was an adequate solution. ... I may be wrong but I always thought that the keys with long string names were GUIDs and not something that you can simply "export" or copy. ... This one stops editing of the Temporary Internet Files settings page. ...
    (microsoft.public.windowsxp.general)
  • Re: block some users from access to the Internet
    ... I just audited a bank where the admin had created a group policy that ... configured proxy server settings in Internet Explorer for a non-existent ... have internet access with IE because they could not find the proxy server. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to block internet browsing
    ... What some do it to configure Group Policy for those users to apply a bogus ... proxy server Ip address for IE via user configuration/administrative ... templates/Windows settings/Internet Explorer maintenance/connection/proxy ... users to prevent them from accessing connection settings first so that they ...
    (microsoft.public.windows.server.security)
  • Re: Domain Policy
    ... you have more questions about configuring Group Policy! ... registry keys, specially on the PDC. ... Group Policy enforces those registry settings and the next time ...
    (microsoft.public.win2000.security)
Quantcast