Active directory Group Policies weirdness.

[bigstusexy]

OK, so I work for a school district making minimum wage...*bites toung*, this is just to tell you how cheap they are.

We are using a version of the B.E.S.S. Filtering system by N2H2, its an older version from what I've been told and its completely not flexable. We've got really not so great kids that to to a slew of sites that they shouldn't but arn't blocked by bess, I want to stop them from doing it because its bringing in the spyware annd junk programs and just making my job that much more underpaid by the second, not to mention that some kids and teachers (not that anyone else condones this) get the message that 11 schools with more than 4 to 5 hundred users on the net at one time accross 3 T1's streaming music vidoes and rich multimedia games isn't something you should do. I can use BESS to do it because there are somethings I don't want to block from veryone, also I'm not really given that kind of access to bess and some things may not work etc etc.

So I came up with a great idea, use the No-Ads system! The autoproxy block technique!!! Ah great! So I drafted a file that would suite the needs, put it on a share accessable by everbody (not writeable ) tested on one computer by hand then make the approprite GPO, assigned it to a test user, fixed errors blah blah blah got it working and here is where the trouble beings.


First I got AD GPOs mixed with file permissions, meaning that I though I could create an OU and put he GPO on it with a group in that containter and whoever was in the group would be affected... nope

Idea #2! GPO are inheirted and they only work if you have read and apply permissions... sweet! Place the GPO apove all those that I want ot affect (like at the root of the domain) and remove everyone and authenticated users from reading the policy (not block) add in the people/groups that need to be affected to a group that has read and apply rights.



This is where I am right now, so far it works, but it isn't consistent. Users are affected one day and not the next, it shows that its there and set correctly and with the new tool in 2k3 I can see that it should only affect domain computers and the group specified. If I check a member of that group though they aren't affected.

Is there a better way to do this? Any thoughts of why this isn't working like it should? What i'm setting is a user policy that just sets IE's autoproxy detection to use the pac file on the server and not allow them to change that setting. It does work it just seems spratic. Isn't there a tool to check the policy results on the computer that should be affected? I can't remember I need to re-read up on that.


So far I've checked that:
The policy and settings has replicated to all DCs (yes it has)
The file is correct and working, accesable (true)

I was hoping that setting that would just grey out the portion of connections with auto config or any proxy settings... but instead it just blocks access to the interent settings panel so I can't tell what is or isnt' in there.


Comments suggestions, I'm in need of help. Oh yeah no comments of "well buy this or get this appliance" this district pays me MINIMUM WAGE! Not to mention that they generally don't care about the technology staff so I'm doing this on a zero dollar budget, not the best idea but its all I've got to work with.

 

[oakfan52]

I just going to throw out a differnet idea......

Anyway you could setup a transparent proxy so you could use a *nix with squid, dansguardian to do content filtering?

 

[da sponge]

If they switch from machine to machine (as I'd imagine people in labs are liable to do from day to day) and the workstations are XP, is wait for network on start set? I have the same thing set on my domain and don't have any problems. I doubt your using MS ISA Server, but with the firewall client installed and "autoconfigure web proxy settings", the GPO supplied settings are overridden by the FWC.

 

[LittleMe]

First thing, the command you're looking for to check the users is gpresult from the command line once they're logged in or use Group Policy Results from within the GPMC. Second, you probably want to try and setup xp to wait for the network, if you're using XP. You can setup the GPO to block only the connections tab and still allow access to the control panel. Best bet, while testing it, leave it all open so you can see what's there.

I know how schools can be with money (try being me and working for a district in California) but see if they'll buy an ISA 2004 license. You should be able to pick one up for around $520 for Standard. Or look at getting a Network Engines NS-6250. I have a 6300 that's whicked cool in addition to other ISA servers. But with the ISA you could do filtering based off of group membership. Like my staff can do anything on the internet (except download programs) but students are only allowed access to webpages and pictures. No mp3's, video's or other crap for them.

 

[bigstusexy]

I'll look into wait for network, I'm not sure thats set, the blocking of the interent settings is done by another policy which Ican't track down at the moment, lots of other things to do.

Whats FWC? Firewall client?

How we are doing it is still a bit weird but here is how it seems

Interent
|
switch -- Unknown system(linux) -- Secrete proxy used by techs.
|
Bess proxy
|
District computers


Basically the district is under bess, even administration accross the various buildings. and I just want to block the kids where they go, I'll ask about the other systems, I know we are thinking of moving to a new filterin system soon with per user restrictions or at least by class.


Yeah I did notice that once I set the policy affected computrs seach for proxy settings, eventhough I have the autoconfig filled out I don't see where to not make it do that via the GPO

Thanks I'll read up on "wait for network" for now and report back soon... maybe next week or so.

 

[da sponge]

Thanks I'll read up on "wait for network" for now and report back soon... maybe next week or so.

Wait on network just means that XP computers will wait for the network on boot (receive all GP information from a DC) and won't do their super fast boot. Without it enabled, it can take up to three reboots for a new group policy to apply to an XP workstation.

 

[XOR != OR]

Not to complicate things, but I really have to agree with the squid+dansguardian. This is by far the most configurable option, although when you start talking classes you introduce the potential for problems.

I'd lock out all the sites you don't want anybody to see, and then just keep an eye on the squid logs ( ident installed on the winxp systems is amazing ). Anything pops up that shouldn't, keep an eye on it, and bring the hammer of IT down on the offending student.

And I would hold them responsible for anything done under their account. It will enforce safe computer practices.

This is assuming free reign and a supportive higher management. The cost in hardware/software is negligible, the staff productivity costs would be high initially ( until the students got the idea ), but they'd gradually calm down.

 

[bigstusexy]

See that the ting XOR I'm doing this because my hammer doesn't seem to have any thunder and its hard to do it over multiple schools. When I had one school working with me all I needed to do was take a remote screen cap, cap of Altiris (showing who was logged in) and they would be sent to the office, repermanded detained etc etc. They kep comming back! If it weren't for all the spyware and bandwidth hogging I wouldn't care really but its making my job harder.


Having run gpresult I see that the GPO is being applied and that some systems still just don't work... the problem I dunno but it's not AD. Since I saw the GPO be applied I treid the next best thing on a non owrking system, I logged in as admin, plugged in the address of the pac file and began surfing... It didn't work manually either, I set a test pac file to pop up a message on every time its loaded to let you know it working. Thats not even showing up either.

So I guess on these trouble systems its something else I'm going to have to work through, I've been noticing that someone really experimented on some of these, locking odnw things by using the registry and not local policies, running tools that I have no idea what they did and the tech and tool are long gone. Unfortunately the problem is too wide spread to re image so I'll have to find out whats preventing this from running and hopefully I can automate a fix ofr it.

Thanks guys.