Joost, Finally got back to looking at this today. I took your idea of groups and have it working now. It turns out the simplest way for me to make this work was to add the group membership required to the end of the ntlm auth_param line like this: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=<SID of AD Internet Allowed Group> I then associated this with the custom error I had used with my original denied solution and it appears to be working perfectly. Now I have all my users in the Internet Allowed group and will just remove them as access is denied. Thanks for the suggestion. Geoff -----Original Message----- From: Joost de Heer [mailto:sanguis@xxxxxxxxx] Sent: Wednesday, May 03, 2006 4:35 AM To: Geoff Varney Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Denying user access based on proxy_auth > I have an acl that looks like this: > > acl denied_users proxy_auth_regex -i '/etc/squid2/denied_users' > > where the denied_users file has a list of users who are not allowed access > in the form of: john.smith > > Now for the first time I have a problem in the way this works. For > instance, I have a user account of smith. It's a generic account that is > used to ensure that certain applications run on Windows 2000/XP. I simply > want to prevent Web access as it's anonymous to some extent. So I add the > name "smith" to my denied_users file. Now not only is "smith" denied > access, but also "john.smith". Put the username as '^smith$' in the config. IMO it would be easier to use NT group membership (those who may browse are member of a certain group, and check membership of that group in the acl). Joost
