Saturday 10 March 2012

Group Policy Connection / Proxy Settings Tattoos Windows

Group Policy allows Windows administrators to centrally control many settings on a workstation. Generally speaking, it’s a good thing.

Group Policy works by updating the registry. It normally does this by setting the appropriate value under one of the following four keys:

HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

When the policy is removed, the corresponding values are also removed. When the user runs an application that uses group policies, the application should look under the appropriate key above for the policies.

Group Policy can also write directly to the registry. This is common for security settings, or where an application isn’t policy aware (and so won’t look for its settings under the Policies registry keys above). However, when writing outside the Policies keys, the changes are permanent – the settings won’t be removed if the policy is removed. This is called “tattooing”. More information on tattooing can be found in the excellent FAQ at gpoguy.com.

Now, Internet Explorer proxy settings can be configured using Group Policy. This is good as it means that an enterprise can easily configure all its hosts with the appropriate proxy settings. Unfortunately, these settings are tattooed. Why is this unfortunate. Because, when a user leaves the network, the proxy settings still apply. So, if a user takes their laptop home, to a client, to a hotel, etc. and then attempts to browse the Internet they’ll have a problem. They will need to manually disable the proxy.

Why did Microsoft decide to tattoo these settings? I don’t know, but it’s just not good enough.

No comments:

Post a Comment