(→Server 2003 and below) |
(→Server 2003 and below) |
||
Line 104: | Line 104: | ||
Now assign the "proxy.cmd" as your startup script.<br> | Now assign the "proxy.cmd" as your startup script.<br> | ||
− | For more information see [[Logon Scripts]] | + | For more information see [[Logon/Startup Scripts]] |
== Per User == | == Per User == |
Revision as of 22:51, 13 October 2010
You can set the Internet Explorer Proxy settings via Group Policy.
There are two methods in which you may want implement proxy settings, on a per user basis or on a per device/computer basis.
Contents
Create a Group
Create a group for the users/computers you want to apply this proxy setting to.
Go to Active Directory Users and Computers, Right Click the OU where you want to create the new group and select New -> Group.
Name the group, in this example we will use "Proxied".
Now just add the users and/or computers you want to be proxied to this group. This can be done under the "Members" section.
Per Computer
Applying proxy settings on a per computer basis forces all users regardless of their access rights to use the proxy settings specified in the GPO.
Depending on what version of Windows Server you run will determine how you implement the proxy settings.
Server 2008 and above
One of the new Group Policy features in Windows Server 2008 allows you to apply Custom registry settings.
We will be using this new feature to set the global machine proxy settings.
1.
First go to "Group Policy Management" then navigate to the OU that you want to apply proxy settings to.
In this case it should be an OU that contains computer objects, in this example we'll call this OU "Domain Workstations".
Right click the OU and click "Create a GPO in this domain, and Link it here...".
Give the GPO a name like "Proxy Settings" and for Source Starter GPO choose none.
2.
Select the "Proxy Settings GPO" and under the Security Filtering pane select "Authenticated Users" and click Remove.
Now click Add and enter the group you created above "Proxied".
This makes the GPO only apply to computers that are a member of that group.
NOTE: If you want to apply proxy settings to all computers within the "Domain Workstations" OU then skip this step.
3.
Right Click the "Proxy Settings" GPO and click "Edit".
No navigate to:
Policies\Administrative Templates\Windows Components\Internet Explorer\
Enable "Disable changing proxy settings" Enable "Make proxy settings per-machine (rather than per-user)"
4.
Now Navigate to:
Preferences\Windows Settings\
Right Click "Registry" and click "New" -> "Registry Item" and apply the following settings:
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: ProxyEnable Default: Unchecked Value Type: REG_DWORD Value Data: 00000001 Base: Hexadecimal
Now we will create 2 more registry items.
Action: Create Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: ProxyOverride Default: Unchecked Value Type: REG_SZ Value Data: <local>
and
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: ProxyServer Default: Unchecked Value Type: REG_SZ Value Data: 192.168.1.254:8080
In this last registry item the data value should be YOUR proxy server and port in this format, PROXY:PORT
Group Policy Extensions (KB943729) for XP clients on a 2008 domain
When XP clients are joined to a 2008 domain you need to apply the "Group Policy Extensions" update to XP, otherwise the custom registry settings above will not get applied.
http://support.microsoft.com/kb/943729
Server 2003 and below
With Server 2003 you can't apply custom registry settings through Group Policy so we need to apply them to the computers via a StartUp script.
Here is an example script you can use.
DISCLAIMER!!!! I am not responsible for any damage this script may cause. Modify the registry at your own risk
1.
Save the following to a file called "proxy.reg". This file must be stored on a share that all computers can access. SYSVOL is a good place.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"=dword:00000001 "ProxyOverride"="<local>" "ProxyServer"="192.168.1.254:8080"
Make sure to change the "ProxyServer" setting to reflect YOUR proxy server and port.
2.
Now for the startup script. Save the following to a file called "proxy.cmd"
@echo off reg import \\YourServer\SYSVOL\proxy.reg
Now assign the "proxy.cmd" as your startup script.
For more information see Logon/Startup Scripts
Per User
Applying proxy settings on a per user basis means that the proxy settings follow the user regardless of what computer they use.
In this example we will use the same GPO that we used for the Per Computer (Proxy Settings).
1.
Right click the "Proxy Settings" GPO and click "Edit".
Navigate to:
User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection\
Then Right Click "Proxy Settings" and click "Properties"
Enable proxy settings: Checked
Then set the Address and ports as you see fit.
You can add exceptions and have local intranet addresses bypass the proxy also.
2.
Navigate to:
User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\
Enable "Disable changing proxy settings"
This will prevent individual users from setting their own proxy server settings.
Disabling Internet Access
Using the techniques described above you can effectively disable internet access for a targeted group of users and/or computers.
All you have to do is set the proxy server to 127.0.0.1 which sets the local device as the proxy server and thus prevents URL's from resolving correctly.
Warnings
1. The methods described here do not apply to local user accounts. Local accounts do not apply Group Policy and thus the proxy settings set by Group Policy have no effect.
2. The process outlined above does not prevent users from accessing websites via IP address.
If you require this sort of thing a dedicated proxy server such as Squid would be more appropriate.
Reference
http://www.smart-x.com/?categoryid=171&articleid=149
NOTE: I was unable to get the method to work in the above link, but I have it for reference because many of the GPO settings are still relevant
http://www.tomshardware.com/forum/221139-46-make-proxy-settings-machine-rather-user