Set Proxy Server with Group Policy

From LedHed's Wiki
Jump to: navigation, search

You can set the Internet Explorer Proxy settings via Group Policy.
There are two methods in which you may want implement proxy settings, on a per user basis or on a per device/computer basis.


Contents

Create a Group

Create a group for the users/computers you want to apply this proxy setting to.
Go to Active Directory Users and Computers, Right Click the OU where you want to create the new group and select New -> Group.
Name the group, in this example we will use "Proxied".
Now just add the users and/or computers you want to be proxied to this group. This can be done under the "Members" section.


Per Computer

Applying proxy settings on a per computer basis forces all users regardless of their access rights to use the proxy settings specified in the GPO.
Depending on what version of Windows Server you run will determine how you implement the proxy settings.


Server 2008 and above

One of the new Group Policy features in Windows Server 2008 allows you to apply Custom registry settings.
We will be using this new feature to set the global machine proxy settings.

1.
First go to "Group Policy Management" then navigate to the OU that you want to apply proxy settings to.
In this case it should be an OU that contains computer objects, in this example we'll call this OU "Domain Workstations".
Right click the OU and click "Create a GPO in this domain, and Link it here...".
Give the GPO a name like "Proxy Settings" and for Source Starter GPO choose none.

2.
Select the "Proxy Settings GPO" and under the Security Filtering pane select "Authenticated Users" and click Remove.
Now click Add and enter the group you created above "Proxied".
This makes the GPO only apply to computers that are a member of that group.
NOTE: If you want to apply proxy settings to all computers within the "Domain Workstations" OU then skip this step.

3.
Right Click the "Proxy Settings" GPO and click "Edit".
No navigate to:

Policies\Administrative Templates\Windows Components\Internet Explorer\

Enable "Disable changing proxy settings" Enable "Make proxy settings per-machine (rather than per-user)"

4.
Now Navigate to:

Preferences\Windows Settings\

Right Click "Registry" and click "New" -> "Registry Item" and apply the following settings:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Value Name: ProxyEnable
Default: Unchecked
Value Type: REG_DWORD
Value Data: 00000001
Base: Hexadecimal

Now we will create 2 more registry items.

Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Value Name: ProxyOverride
Default: Unchecked
Value Type: REG_SZ
Value Data: <local>

and

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Value Name: ProxyServer
Default: Unchecked
Value Type: REG_SZ
Value Data: 192.168.1.254:8080

In this last registry item the data value should be YOUR proxy server and port in this format, PROXY:PORT


Group Policy Extensions (KB943729) for XP clients on a 2008 domain

When XP clients are joined to a 2008 domain you need to apply the "Group Policy Extensions" update to XP, otherwise the custom registry settings above will not get applied.
http://support.microsoft.com/kb/943729


Server 2003 and below

With Server 2003 you can't apply custom registry settings through Group Policy so we need to apply them to the computers via a StartUp script.
Here is an example script you can use. DISCLAIMER!!!! I am not responsible for any damage this script may cause. Modify the registry at your own risk

1.
Save the following to a file called "proxy.reg". This file must be stored on a share that all computers can access. SYSVOL is a good place.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyOverride"="<local>"
"ProxyServer"="192.168.1.254:8080"

Make sure to change the "ProxyServer" setting to reflect YOUR proxy server and port.

2.
Now for the startup script. Save the following to a file called "proxy.cmd"

@echo off
reg import \\YourServer\SYSVOL\proxy.reg

Now assign the "proxy.cmd" as your startup script.
For more information see Logon/Startup Scripts

Per User

Applying proxy settings on a per user basis means that the proxy settings follow the user regardless of what computer they use.

In this example we will use the same GPO that we used for the Per Computer (Proxy Settings).

1.
Right click the "Proxy Settings" GPO and click "Edit".
Navigate to:

User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection\

Then Right Click "Proxy Settings" and click "Properties"

Enable proxy settings: Checked

Then set the Address and ports as you see fit.

You can add exceptions and have local intranet addresses bypass the proxy also.

2.
Navigate to:

User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\

Enable "Disable changing proxy settings"

This will prevent individual users from setting their own proxy server settings.

Disabling Internet Access

Using the techniques described above you can effectively disable internet access for a targeted group of users and/or computers.
All you have to do is set the proxy server to 127.0.0.1 which sets the local device as the proxy server and thus prevents URL's from resolving correctly.


Warnings

1. The methods described here do not apply to local user accounts. Local accounts do not apply Group Policy and thus the proxy settings set by Group Policy have no effect.

2. The process outlined above does not prevent users from accessing websites via IP address.
If you require this sort of thing, a dedicated proxy server such as Squid would be more appropriate.


Reference

http://www.tomshardware.com/forum/221139-46-make-proxy-settings-machine-rather-user

http://community.spiceworks.com/topic/33803

http://www.myitforum.com/articles/2/view.asp?id=2039

Personal tools