(→Reference) |
|||
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | You can set the Internet Explorer Proxy settings via Group Policy. | + | You can set the Internet Explorer Proxy settings via Group Policy.<br> |
− | There are two methods in which you may want implement proxy settings, on a per user basis or on a per device/computer basis. | + | There are two methods in which you may want implement proxy settings, on a per user basis or on a per device/computer basis.<br> |
+ | |||
+ | |||
== Create a Group == | == Create a Group == | ||
− | Create a group for the users/computers you want to apply this proxy setting to. | + | Create a group for the users/computers you want to apply this proxy setting to.<br> |
− | Go to Active Directory Users and Computers, | + | Go to Active Directory Users and Computers, Right Click the OU where you want to create the new group and select New -> Group.<br> |
+ | Name the group, in this example we will use "Proxied".<br> | ||
+ | Now just add the users and/or computers you want to be proxied to this group. This can be done under the "Members" section.<br> | ||
== Per Computer == | == Per Computer == | ||
− | Applying proxy settings on a per computer basis forces all users regardless of their access rights to use the proxy settings specified in the GPO. | + | Applying proxy settings on a per computer basis forces all users regardless of their access rights to use the proxy settings specified in the GPO.<br> |
− | Depending on what version of Windows Server you run will determine how you implement the proxy settings. | + | Depending on what version of Windows Server you run will determine how you implement the proxy settings.<br> |
− | |||
− | |||
− | |||
− | + | === Server 2008 and above === | |
− | + | One of the new Group Policy features in Windows Server 2008 allows you to apply Custom registry settings.<br> | |
− | + | We will be using this new feature to set the global machine proxy settings.<br> | |
− | + | ||
− | 2.Select the "Proxy Settings GPO" and under the Security Filtering pane select "Authenticated Users" and click Remove. | + | 1.<br> |
− | Now click Add and enter the group you created above "Proxied". | + | First go to "Group Policy Management" then navigate to the OU that you want to apply proxy settings to.<br> |
− | This makes the GPO only apply to computers that are a member of that group. | + | In this case it should be an OU that contains computer objects, in this example we'll call this OU "Domain Workstations".<br> |
+ | Right click the OU and click "Create a GPO in this domain, and Link it here...".<br> | ||
+ | Give the GPO a name like "Proxy Settings" and for Source Starter GPO choose none.<br> | ||
+ | |||
+ | 2.<br> | ||
+ | Select the "Proxy Settings GPO" and under the Security Filtering pane select "Authenticated Users" and click Remove.<br> | ||
+ | Now click Add and enter the group you created above "Proxied".<br> | ||
+ | This makes the GPO only apply to computers that are a member of that group.<br> | ||
''' ''NOTE:'' '''If you want to apply proxy settings to all computers within the "Domain Workstations" OU then skip this step.<br> | ''' ''NOTE:'' '''If you want to apply proxy settings to all computers within the "Domain Workstations" OU then skip this step.<br> | ||
+ | 3.<br> | ||
+ | Right Click the "Proxy Settings" GPO and click "Edit".<br> | ||
+ | No navigate to: | ||
+ | Policies\Administrative Templates\Windows Components\Internet Explorer\ | ||
+ | Enable "Disable changing proxy settings" | ||
+ | Enable "Make proxy settings per-machine (rather than per-user)" | ||
+ | 4.<br> | ||
+ | Now Navigate to: | ||
+ | Preferences\Windows Settings\ | ||
+ | Right Click "Registry" and click "New" -> "Registry Item" and apply the following settings: | ||
+ | Action: Update | ||
+ | Hive: HKEY_LOCAL_MACHINE | ||
+ | Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||
+ | Value Name: ProxyEnable | ||
+ | Default: Unchecked | ||
+ | Value Type: REG_DWORD | ||
+ | Value Data: 00000001 | ||
+ | Base: Hexadecimal | ||
+ | Now we will create 2 more registry items.<br> | ||
+ | Action: Create | ||
+ | Hive: HKEY_LOCAL_MACHINE | ||
+ | Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||
+ | Value Name: ProxyOverride | ||
+ | Default: Unchecked | ||
+ | Value Type: REG_SZ | ||
+ | Value Data: <local> | ||
+ | |||
+ | and<br> | ||
+ | |||
+ | Action: Update | ||
+ | Hive: HKEY_LOCAL_MACHINE | ||
+ | Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | ||
+ | Value Name: ProxyServer | ||
+ | Default: Unchecked | ||
+ | Value Type: REG_SZ | ||
+ | Value Data: 192.168.1.254:8080 | ||
+ | |||
+ | In this last registry item the data value should be YOUR proxy server and port in this format, ''PROXY:PORT''<br> | ||
==== Group Policy Extensions (KB943729) for XP clients on a 2008 domain ==== | ==== Group Policy Extensions (KB943729) for XP clients on a 2008 domain ==== | ||
− | When XP clients are joined to a 2008 domain you need to apply the "Group Policy Extensions" update to XP. | + | When XP clients are joined to a 2008 domain you need to apply the "Group Policy Extensions" update to XP, otherwise the custom registry settings above will not get applied.<br> |
http://support.microsoft.com/kb/943729 | http://support.microsoft.com/kb/943729 | ||
+ | |||
=== Server 2003 and below === | === Server 2003 and below === | ||
− | With Server 2003 you can't apply custom registry settings through Group Policy so we need to apply them to the computers via a StartUp script. | + | With Server 2003 you can't apply custom registry settings through Group Policy so we need to apply them to the computers via a StartUp script.<br> |
+ | Here is an example script you can use. | ||
+ | '' '''DISCLAIMER!!!! I am not responsible for any damage this script may cause. Modify the registry at your own risk''' '' | ||
+ | 1.<br> | ||
+ | Save the following to a file called "proxy.reg". This file must be stored on a share that all computers can access. SYSVOL is a good place.<br> | ||
+ | Windows Registry Editor Version 5.00 | ||
+ | |||
+ | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] | ||
+ | "ProxyEnable"=dword:00000001 | ||
+ | "ProxyOverride"="<local>" | ||
+ | "ProxyServer"="192.168.1.254:8080" | ||
+ | Make sure to change the "ProxyServer" setting to reflect YOUR proxy server and port.<br> | ||
+ | 2.<br> | ||
+ | Now for the startup script. Save the following to a file called "proxy.cmd"<br> | ||
+ | |||
+ | @echo off | ||
+ | reg import \\YourServer\SYSVOL\proxy.reg | ||
+ | |||
+ | Now assign the "proxy.cmd" as your startup script.<br> | ||
+ | For more information see [[Logon/Startup Scripts]] | ||
== Per User == | == Per User == | ||
− | Applying proxy settings on a per user basis means that the proxy settings follow the user regardless of what computer they use. | + | Applying proxy settings on a per user basis means that the proxy settings follow the user regardless of what computer they use.<br> |
+ | |||
+ | In this example we will use the same GPO that we used for the Per Computer (Proxy Settings). | ||
+ | |||
+ | 1.<br> | ||
+ | Right click the "Proxy Settings" GPO and click "Edit".<br> | ||
+ | Navigate to: | ||
+ | User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection\ | ||
+ | Then Right Click "Proxy Settings" and click "Properties" | ||
+ | Enable proxy settings: Checked | ||
+ | Then set the Address and ports as you see fit. | ||
+ | |||
+ | You can add exceptions and have local intranet addresses bypass the proxy also. | ||
+ | |||
+ | 2.<br> | ||
+ | Navigate to: | ||
+ | User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\ | ||
+ | Enable "Disable changing proxy settings"<br> | ||
+ | This will prevent individual users from setting their own proxy server settings.<br> | ||
== Disabling Internet Access == | == Disabling Internet Access == | ||
− | Using the techniques described above you can effectively disable internet access for a targeted group of users and/or computers. | + | Using the techniques described above you can effectively disable internet access for a targeted group of users and/or computers.<br> |
− | All you have to do is set the proxy server to 127.0.0.1 which sets the local device as the proxy server and thus prevents URL's from resolving correctly. | + | All you have to do is set the proxy server to 127.0.0.1 which sets the local device as the proxy server and thus prevents URL's from resolving correctly.<br> |
+ | |||
== Warnings == | == Warnings == | ||
− | 1. The methods described here do not apply to local user accounts. Local accounts do not apply Group Policy and thus the proxy settings set by Group Policy have no effect. | + | 1. The methods described here do not apply to local user accounts. Local accounts do not apply Group Policy and thus the proxy settings set by Group Policy have no effect.<br> |
+ | |||
+ | 2. The process outlined above does not prevent users from accessing websites via IP address.<br> | ||
+ | If you require this sort of thing, a dedicated proxy server such as [[:Category:Squid|Squid]] would be more appropriate.<br> | ||
− | |||
− | |||
== Reference == | == Reference == | ||
− | |||
http://www.tomshardware.com/forum/221139-46-make-proxy-settings-machine-rather-user | http://www.tomshardware.com/forum/221139-46-make-proxy-settings-machine-rather-user | ||
+ | |||
http://community.spiceworks.com/topic/33803 | http://community.spiceworks.com/topic/33803 | ||
+ | |||
+ | http://www.myitforum.com/articles/2/view.asp?id=2039 | ||
+ | |||
[[Category:Group Policy]] | [[Category:Group Policy]] |
Latest revision as of 04:56, 11 September 2013
You can set the Internet Explorer Proxy settings via Group Policy.
There are two methods in which you may want implement proxy settings, on a per user basis or on a per device/computer basis.
Contents
Create a Group
Create a group for the users/computers you want to apply this proxy setting to.
Go to Active Directory Users and Computers, Right Click the OU where you want to create the new group and select New -> Group.
Name the group, in this example we will use "Proxied".
Now just add the users and/or computers you want to be proxied to this group. This can be done under the "Members" section.
Per Computer
Applying proxy settings on a per computer basis forces all users regardless of their access rights to use the proxy settings specified in the GPO.
Depending on what version of Windows Server you run will determine how you implement the proxy settings.
Server 2008 and above
One of the new Group Policy features in Windows Server 2008 allows you to apply Custom registry settings.
We will be using this new feature to set the global machine proxy settings.
1.
First go to "Group Policy Management" then navigate to the OU that you want to apply proxy settings to.
In this case it should be an OU that contains computer objects, in this example we'll call this OU "Domain Workstations".
Right click the OU and click "Create a GPO in this domain, and Link it here...".
Give the GPO a name like "Proxy Settings" and for Source Starter GPO choose none.
2.
Select the "Proxy Settings GPO" and under the Security Filtering pane select "Authenticated Users" and click Remove.
Now click Add and enter the group you created above "Proxied".
This makes the GPO only apply to computers that are a member of that group.
NOTE: If you want to apply proxy settings to all computers within the "Domain Workstations" OU then skip this step.
3.
Right Click the "Proxy Settings" GPO and click "Edit".
No navigate to:
Policies\Administrative Templates\Windows Components\Internet Explorer\
Enable "Disable changing proxy settings" Enable "Make proxy settings per-machine (rather than per-user)"
4.
Now Navigate to:
Preferences\Windows Settings\
Right Click "Registry" and click "New" -> "Registry Item" and apply the following settings:
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: ProxyEnable Default: Unchecked Value Type: REG_DWORD Value Data: 00000001 Base: Hexadecimal
Now we will create 2 more registry items.
Action: Create Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: ProxyOverride Default: Unchecked Value Type: REG_SZ Value Data: <local>
and
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: ProxyServer Default: Unchecked Value Type: REG_SZ Value Data: 192.168.1.254:8080
In this last registry item the data value should be YOUR proxy server and port in this format, PROXY:PORT
Group Policy Extensions (KB943729) for XP clients on a 2008 domain
When XP clients are joined to a 2008 domain you need to apply the "Group Policy Extensions" update to XP, otherwise the custom registry settings above will not get applied.
http://support.microsoft.com/kb/943729
Server 2003 and below
With Server 2003 you can't apply custom registry settings through Group Policy so we need to apply them to the computers via a StartUp script.
Here is an example script you can use.
DISCLAIMER!!!! I am not responsible for any damage this script may cause. Modify the registry at your own risk
1.
Save the following to a file called "proxy.reg". This file must be stored on a share that all computers can access. SYSVOL is a good place.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"=dword:00000001 "ProxyOverride"="<local>" "ProxyServer"="192.168.1.254:8080"
Make sure to change the "ProxyServer" setting to reflect YOUR proxy server and port.
2.
Now for the startup script. Save the following to a file called "proxy.cmd"
@echo off reg import \\YourServer\SYSVOL\proxy.reg
Now assign the "proxy.cmd" as your startup script.
For more information see Logon/Startup Scripts
Per User
Applying proxy settings on a per user basis means that the proxy settings follow the user regardless of what computer they use.
In this example we will use the same GPO that we used for the Per Computer (Proxy Settings).
1.
Right click the "Proxy Settings" GPO and click "Edit".
Navigate to:
User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection\
Then Right Click "Proxy Settings" and click "Properties"
Enable proxy settings: Checked
Then set the Address and ports as you see fit.
You can add exceptions and have local intranet addresses bypass the proxy also.
2.
Navigate to:
User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\
Enable "Disable changing proxy settings"
This will prevent individual users from setting their own proxy server settings.
Disabling Internet Access
Using the techniques described above you can effectively disable internet access for a targeted group of users and/or computers.
All you have to do is set the proxy server to 127.0.0.1 which sets the local device as the proxy server and thus prevents URL's from resolving correctly.
Warnings
1. The methods described here do not apply to local user accounts. Local accounts do not apply Group Policy and thus the proxy settings set by Group Policy have no effect.
2. The process outlined above does not prevent users from accessing websites via IP address.
If you require this sort of thing, a dedicated proxy server such as Squid would be more appropriate.
Reference
http://www.tomshardware.com/forum/221139-46-make-proxy-settings-machine-rather-user