Let me start by saying that my experience with GPO is limited to tentatively poking at settings until they fall into place by trial and error. It is entirely possible this will be a very obvious answer.
Our goal is to keep three computers off the internet, without limiting their access to the local network.
The person I am replacing had set up a GPO called "Internet Lockdown" with the following layout (in italics=added by me):
SCOPE:
Links: No Internet (this is an OU that is a child of our main SBSComputers OU and has the targeted computers as members). Not Enforced. Link Enabled.
Security Filtering:
- Authenticated Users
- computer1
- computer2
- computer3
No WMI Filter
DETAILS
GPO Status: Computer Configuration Settings Disabled (Enabled)
SETTINGS
Computer Configuration/policies/administative templates/system/group policy
User group policy loopback processing mode: Enabled
Mode: Replace
User Configuration/Windows Settings/Internet Explorer Maintenance/Connection/Proxy Settings
Enable proxy settings: All to 127.0.0.1:4664
Except beginning with 192.168.1.200 or intranet
Administrative Templates/Windows Components/Internet Explorer
Disable changing automatic configuration settings:enabled
disable changing connection settings:enabled
disable changing proxy settings: enabled
disable internet connection wizard:enabled
/browser menu
Tools Menu: Disable Internet Options… menu option:enabled
I've done gpupdate /force on both the DC and the target computers, but, although other GPO's run fine, this one seems to be ignored. Some initial googling led me to adding the loopback processing mode to computer configuration and then enabling the computer configuration option, I also thought I might need the specific computer objects in the security filtering section but these have made no change. I am not logging onto the target computers with my domain admin account.
When I run gpresult /h result.html I see that in Computer configuration/Group Policy Objects/Denied GPOs Internet Lockdown is listed with the reason "Disabled GPO". This confuses me, because it is all enabled now. It also doesn't show up anywhere under user configuration, neither applied nor denied.
Event logs contain nothing useful beyond the time it processed GP on either DC or the target computers.
Any thoughts?
Best Answer
It's because you have
Computer Settings Disabledconfigured. Try changing that dropdown to just plainEnabledand try that.With that said, you're configuring both Computer Policies and User Policies in one GPO. Technically, there's nothing wrong with this but it is considered bad practice and makes troubleshooting difficult.
It also makes a mess of your security filtering. For example, in your instance, having the computers listed makes no difference whatsoever because you have
Authenticated Userslisted.I'd suggesting splitting your policies into two - one containing all of the
Computer Configurationitems and one containing all of theUser Configurationitems. If you want both sets of GPO's to apply to all computers in that OU (And therefore all users that logon to them) then just leave both sets of Security Filtering toAuthenticated Users. (Though bear in mind it'll apply to administrators, too)