We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Group policy question

regsamp
regsamp asked
on
Medium Priority
284 Views
Last Modified: 2010-03-19
We have a Windows 2003 network and we would like to setup a group policy for three specific Active Directory accounts, not to be able to access the Internet.  What is the path, quickest and easist method to setup a group policy to block these three accounts from accessing the Internet?  Any assistance offered would be greatly appreciated.  
Comment
Watch Question

Author

Commented:
The link was okay but I know there is a way to block Interent Access to an Active Directory account and if we could get that path in the Group Policy editor then we would be all set.  
JoeWeb Application Developer

Commented:

Author

Commented:
The second link is not really viable for our situation.  A group policy that would prevent four specific users from getting to the Interent would be the ideal solution as we are going to be upgrading our firewall/router/proxy very soon.  
Web Application Developer
Commented:
Thats is a GPO setting

User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.

then place the 4 users in the OU you want this applied. And set it to 127.0.0.1

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Ken ConradieNetwork Manager
CERTIFIED EXPERT

Commented:
You may also want to check out the "MACHINE POLICY/Administrative Templates\System\Internet Communication Management | Restrict Internet communication" GPO Object, and read this article about it: http://www.gpanswers.com/community/viewtopic.php?p=2351&sid=7b46a94fd29bf9fe91a840ad62bd4c42

Seems like it may accomplish exactly what you need.

 

Commented:
Create an OU, put the users you want to restrict in this OU. Then create a group policy "User Configuration\Windows Settings\Software restrictions\  click on action and create a new software restriction policy. Under Additional Rules create a new hash rule to disallow iexplore.exe

Commented:
Actually you can disregard my comment above. It seems this works in reverse of what I thought. If you set the default security to disallowed it will disallow every program. You would have to create rules for the programs you wanted to allow, Might work if you only wanted to allow a few programs.

Author

Commented:
"Thats is a GPO setting

User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.

then place the 4 users in the OU you want this applied. And set it to 127.0.0.1"

This seems like it may work and just want to make sure I have this right, 1.  Active Directory Users and Computers, 2.  Properties/Group Policy, 3.  Add settings above and how are just the 4 users being added so that nobody else is affected?  

Author

Commented:
Disregard the above.  I need to create an OU and add the above settings and then add the users to it as the other method would add it, correct?  
JoeWeb Application Developer

Commented:
what you could do is make a new OU add your 4 users change those settings and you could block policy inheritance on that OU if you wanted to.
IdeasUnknownSystem Administrator
CERTIFIED EXPERT

Commented:
If you are using GPMC 1.0.2 (Group Policy Management Console 1.0.2) which you should be if you are using Windows Server 2003 you can add a new GPO at the Domain Level as such.

1. Login to a/the Domain Controller.
2. Start -> Run
3. In the "Open" box type "gpmc.msc" (without the quotes) and press the "OK" button.
4. Right click your domain container.
5. Select "Create and Link a GPO here...".
6. In the "Name" box type a descriptive name, such as "Blocked Internet Custom Instructions", and press the "OK" button.
7. Find and select the new GPO in the left pane under your domain container.
8. In the middle pane on the right side labeled "Security Filtering" remove the default groupings and users and add the Active Directory account names (3) that you want blocked from the internet.
9. Right click the new GPO in the left pane and select "Edit" from the menu.
10. Please see regsamp's post above for the correct hierarchy for the settings you want and need.
11. Sit back and enjoy being a bad ass network administrator.

Hope that helps!

Author

Commented:
I created a new OU, added the 4 users and changed the settings to
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
And set it to 127.0.0.1.  Blocked policy inheritance on that OU and it is working great, Thank you.  
JoeWeb Application Developer

Commented:
Glad to have helped :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.