1 2 3 Previous Next 30 Replies Latest reply on Jul 15, 2016 2:56 PM by Bill Robinson

    Policy Package for a User

    Sayan Roy

      Hi All,

       

      I have got a use case where I need to make a policy package for a particular user in a Windows server to have RDP access and no Internet access through BSA. Can someone please suggest how to achieve this?

       

        • 1. Re: Policy Package for a User
          Bill Robinson

          what is a 'policy package' ?

          is this a local account or a domain account you are trying to restrict ?

          • 2. Re: Policy Package for a User
            Sayan Roy

            Hello Bill, thank you for responding. By policy package I meant BLPackage.

            And, being it local or domain account, either way is feasible. I was thinking from server level restriction perspective.

            • 3. Re: Policy Package for a User
              Bill Robinson

              So what exactly do you need to deploy to make these changes ?  registry changes?  installable ?

              • 4. Re: Policy Package for a User
                Sayan Roy

                Yes is it feasible to change the registry so that the proxy settings is set to local host IP 127.0.0.1 and prevent any user from changing the proxy settings.

                • 5. Re: Policy Package for a User
                  Sayan Roy

                  I was trying to create a registry file. I open a notepad and type the following contents and save it with the name "setproxy.reg":

                   

                  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"="127.0.0.1:80" "ProxyEnable"=dword:00000001

                   

                  and was thinking of importing this using:

                  reg import setproxy.reg

                   

                  But it is not working. When I double click the registry file to test it is getting added to registry it gives and error: "The specified file is not a registry script. You can only import binary registry files from within the registry editor."

                   

                  My plan was if I could somehow import these registry changes files(setting the proxy settings and disabling proxy changes) to a BLPackage.

                  Thanks in advance. Obliged with your help. 

                  • 6. Re: Policy Package for a User
                    Sayan Roy

                    Okay Bill, I tried something and it's working manually. I created two registry files.

                     

                    First registry file named it as 'setproxy.reg' with the contents:

                    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

                    "ProxyServer"="127.0.0.1:80"

                    "ProxyEnable"=dword:00000001

                     

                    Second registry file named it as 'disableproxychanges.reg' with the contents:

                    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]

                    "Proxy"=dword:00000001

                     

                    Then I created a .bat file writing the below contents:

                    reg import setproxy.reg

                    reg import disableproxychanges.reg

                    When I run this .bat file manually I am able to achieve what I intend to, i.e. no internet access and user not able to change the proxy settings. But how do I stitch it in a BLPackage?

                    • 7. Re: Policy Package for a User
                      Bill Robinson

                      so there's a couple options:

                       

                      one would be to add the two files into the blpackage, put them in c:\temp or something.  then add an 'external command' to run the reg import for each file.

                       

                      the other would be to use the native registry object, live browse to the same registry path on a server w/ this set and add both registry values to the blpackage as the native registry object type.

                       

                       

                      now - because you are editing hkcu - that's only going to affect the 'current user' - the user you are logged in as.  so do you want to make this change for all users on the box, or only a specific local user ?  i believe you can modify the same key under HKU and it will affect new users.  or you can modify the individual nodes (users) under hku.

                      • 8. Re: Policy Package for a User
                        Sayan Roy

                        Hi Bill,

                         

                        I tried the first option you said, i.e. put the two files into package and add an external command to import, the job fails in the commit stage.

                         

                        For option two of yours, I could find only the 'ProxyEnable' registry value from the registry path on the server. I don't find the other two registry values 'ProxyServer' and 'Proxy' to add to the blpackage.

                        Even, with only one registry object added to the package, when I deploy it to a target server, the job runs with success but the registry value don't change inside the server in actual. The logs of the job tells 'Apply succeeded'.

                         

                        • 9. Re: Policy Package for a User
                          Sayan Roy

                          Bill,

                          I tried a third option too. I created a empty BLPackage and added three External Commands. In the cmd section I gave these three commands respectively:

                          1. REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /d 1 /f

                          2. REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d 127.0.0.1:80 /f

                          3. REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v Proxy /d 1 /f

                           

                          When I deploy this blpackage against a target server, I get the same output. The deploy job runs with success. The logs even say so.  But in the server, the registry value doesn't change.

                          When I run these 3 commands in cmd prompt of the target server, it says 'The operation completed successfully' and the registry change works.

                           

                          I don't understand why these commands don't take effect when deployed through BLPackage!!

                          • 10. Re: Policy Package for a User
                            Bill Robinson

                            "I tried the first option you said, i.e. put the two files into package and add an external command to import, the job fails in the commit stage."

                            -> failed how?  bldeploy log ?

                             

                            "For option two of yours, I could find only the 'ProxyEnable' registry value from the registry path on the server. I don't find the other two registry values 'ProxyServer' and 'Proxy' to add to the blpackage."

                            -> so add them to the server and then add them to the blpackage as i noted.

                             

                            "a target server, the job runs with success but the registry value don't change"

                            -> your screenshot shows you are looking at HKEY_USERS\.DEFAULT.  is that where you are looking on the server to confirm the change ?

                             

                            "1. REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /d 1 /f"

                            and what user's 'HKCU' hive are you looking at ?

                            • 11. Re: Policy Package for a User
                              Sayan Roy

                              Attached the bldeploy log for the failed job when I execute the blpackage which has the two .reg files and commands to import the .reg files.

                              • 12. Re: Policy Package for a User
                                Bill Robinson

                                so you put the reg files here:

                                 

                                 

                                06/22/16 17:27:55.411 DEBUG    bldeploy - [C:/Windows/Temp/Reg Change Policy/DisableProxyChanges.reg] Success adding file C:/Windows/Temp/Reg Change Policy/DisableProxyChanges.reg.

                                 

                                but when you ran the reg command here:

                                06/22/16 17:27:55.411 INFO     bldeploy - [Import setproxy reg file] Executing command: "reg import setproxy.reg"?

                                 

                                 

                                did you cd into the C:\Windows\Temp\Reg Change Policy ?

                                • 13. Re: Policy Package for a User
                                  Sayan Roy

                                  I didn't understand by your line "did you cd into the C:\Windows\Temp\Reg Change Policy ?" No I haven't that yet.

                                  Pardon me for my ignorance.

                                   

                                  The path "C:/Windows/Temp/Reg Change Policy" is the path where I dumped the files in my fileserver from where I browse and add into the package. I also check the checkbox in the File Options "Copy file contents".

                                  • 14. Re: Policy Package for a User
                                    Bill Robinson

                                    in the blpackage, what path are you putting the two reg files during the deploy?  from the bldeploy log you attached, it's C:\Windows\Temp\Reg Change Policy'.

                                     

                                    so that means you need to cd into that directory before running your reg import command or specify the full path to the reg file in the reg import command.

                                    1 2 3 Previous Next