bigstusexy
2[H]4U
- Joined
- Jan 28, 2002
- Messages
- 3,194
OK, so I work for a school district making minimum wage...*bites toung*, this is just to tell you how cheap they are.
We are using a version of the B.E.S.S. Filtering system by N2H2, its an older version from what I've been told and its completely not flexable. We've got really not so great kids that to to a slew of sites that they shouldn't but arn't blocked by bess, I want to stop them from doing it because its bringing in the spyware annd junk programs and just making my job that much more underpaid by the second, not to mention that some kids and teachers (not that anyone else condones this) get the message that 11 schools with more than 4 to 5 hundred users on the net at one time accross 3 T1's streaming music vidoes and rich multimedia games isn't something you should do. I can use BESS to do it because there are somethings I don't want to block from veryone, also I'm not really given that kind of access to bess and some things may not work etc etc.
So I came up with a great idea, use the No-Ads system! The autoproxy block technique!!! Ah great! So I drafted a file that would suite the needs, put it on a share accessable by everbody (not writeable
) tested on one computer by hand then make the approprite GPO, assigned it to a test user, fixed errors blah blah blah got it working and here is where the trouble beings.
First I got AD GPOs mixed with file permissions, meaning that I though I could create an OU and put he GPO on it with a group in that containter and whoever was in the group would be affected... nope
Idea #2! GPO are inheirted and they only work if you have read and apply permissions... sweet! Place the GPO apove all those that I want ot affect (like at the root of the domain) and remove everyone and authenticated users from reading the policy (not block) add in the people/groups that need to be affected to a group that has read and apply rights.
This is where I am right now, so far it works, but it isn't consistent. Users are affected one day and not the next, it shows that its there and set correctly and with the new tool in 2k3 I can see that it should only affect domain computers and the group specified. If I check a member of that group though they aren't affected.
Is there a better way to do this? Any thoughts of why this isn't working like it should? What i'm setting is a user policy that just sets IE's autoproxy detection to use the pac file on the server and not allow them to change that setting. It does work it just seems spratic. Isn't there a tool to check the policy results on the computer that should be affected? I can't remember I need to re-read up on that.
So far I've checked that:
The policy and settings has replicated to all DCs (yes it has)
The file is correct and working, accesable (true)
I was hoping that setting that would just grey out the portion of connections with auto config or any proxy settings... but instead it just blocks access to the interent settings panel so I can't tell what is or isnt' in there.
Comments suggestions, I'm in need of help. Oh yeah no comments of "well buy this or get this appliance" this district pays me MINIMUM WAGE! Not to mention that they generally don't care about the technology staff so I'm doing this on a zero dollar budget, not the best idea but its all I've got to work with.
We are using a version of the B.E.S.S. Filtering system by N2H2, its an older version from what I've been told and its completely not flexable. We've got really not so great kids that to to a slew of sites that they shouldn't but arn't blocked by bess, I want to stop them from doing it because its bringing in the spyware annd junk programs and just making my job that much more underpaid by the second, not to mention that some kids and teachers (not that anyone else condones this) get the message that 11 schools with more than 4 to 5 hundred users on the net at one time accross 3 T1's streaming music vidoes and rich multimedia games isn't something you should do. I can use BESS to do it because there are somethings I don't want to block from veryone, also I'm not really given that kind of access to bess and some things may not work etc etc.
So I came up with a great idea, use the No-Ads system! The autoproxy block technique!!! Ah great! So I drafted a file that would suite the needs, put it on a share accessable by everbody (not writeable
First I got AD GPOs mixed with file permissions, meaning that I though I could create an OU and put he GPO on it with a group in that containter and whoever was in the group would be affected... nope
Idea #2! GPO are inheirted and they only work if you have read and apply permissions... sweet! Place the GPO apove all those that I want ot affect (like at the root of the domain) and remove everyone and authenticated users from reading the policy (not block) add in the people/groups that need to be affected to a group that has read and apply rights.
This is where I am right now, so far it works, but it isn't consistent. Users are affected one day and not the next, it shows that its there and set correctly and with the new tool in 2k3 I can see that it should only affect domain computers and the group specified. If I check a member of that group though they aren't affected.
Is there a better way to do this? Any thoughts of why this isn't working like it should? What i'm setting is a user policy that just sets IE's autoproxy detection to use the pac file on the server and not allow them to change that setting. It does work it just seems spratic. Isn't there a tool to check the policy results on the computer that should be affected? I can't remember I need to re-read up on that.
So far I've checked that:
The policy and settings has replicated to all DCs (yes it has)
The file is correct and working, accesable (true)
I was hoping that setting that would just grey out the portion of connections with auto config or any proxy settings... but instead it just blocks access to the interent settings panel so I can't tell what is or isnt' in there.
Comments suggestions, I'm in need of help. Oh yeah no comments of "well buy this or get this appliance" this district pays me MINIMUM WAGE! Not to mention that they generally don't care about the technology staff so I'm doing this on a zero dollar budget, not the best idea but its all I've got to work with.