Solved

Setting a policy for group of machines on a 2000 network

Posted on 2004-10-04
6
168 Views
Last Modified: 2010-03-18
I have a network of about 300 w2k machines. Different users are able to get on to each of these machines. There are about 20 machines I want to exclude from Internet access, no matter who logs on to the machine. Because of special software, I can not use the ISA server to filter the machines out and I can not put them in a special domain, and they have to use dhcp.
I have tried group policy, but I can only get it to work for users, not by machine. Any Ideas?
0
Comment
Question by:gran88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12220754
Hi

Do you have a firewall at all? If so, with many of the firewalls you can just deny access to port 80 (http default) and port 443 (https default)  for specified ip addresses. Then use your dhcp server to reserve these specific mac addresses so that they are always used by those pc's,

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12220763
Hmm daft question as I just put my brain into first gear - your ISA is the firewall isn't it?
0
 
LVL 2

Author Comment

by:gran88
ID: 12220842
Nope, I have a seperate firewall, but ISA  is the proxy, so all internet traffic has to go through it. I thought of just your solution, but since I can not do anything to the ISA, filtering by ip will not work. Good try though
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 20

Expert Comment

by:Debsyl99
ID: 12220885
Hmm that's kind of what I meant (I think) - it's been a long day..........

Ok then next thought - any chance of using loopback policy processing by putting the machines in a separate (or nested OU) ? This way the settings would only apply when users were logged on to that particular pc.
Loopback Processing of Group Policy
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231287

Deb :))

0
 
LVL 2

Author Comment

by:gran88
ID: 12220934
Deb, let me ask you this, what I kind of had in mid was to put the 10 computers in a seperate OU, create a seperate group policy for that ou, and set the internet explorer proxy to one that would not work, ex. .1.1.1.1 port 999. then lock them from changing the connection settings. I can do this if I put a person in the OU, but not a machine. Is there a reason I can not just put the machine ou and have that work?

In the mean time I am going to try you loop back idea
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 250 total points
ID: 12221025
Generally because there's quite a big difference between user policies and machine policies in OU's. If the policy you set was in the User Policy portion ( and I don't have access right now to double check but I think it must be), then it just won't apply to machines in the OU - It will only apply to users, which is why I suggested the loopback route. It's a handy way to get user policies to apply based on specific machines that the users are logged into. If you got this to work based on the user, then it must be a user policy, and the loopback processing *should * work. If you notice there is the option to disable either user policy or machine policy for any OU in order to prevent unnecessary policy processing. The two areas are completely separate and one just will not apply to the other, apart from the link created through loopback,

Deb :))
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question