[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

Group policy question

We have a Windows 2003 network and we would like to setup a group policy for three specific Active Directory accounts, not to be able to access the Internet.  What is the path, quickest and easist method to setup a group policy to block these three accounts from accessing the Internet?  Any assistance offered would be greatly appreciated.  
0
regsamp
Asked:
regsamp
  • 5
  • 5
  • 2
  • +2
1 Solution
 
regsampAuthor Commented:
The link was okay but I know there is a way to block Interent Access to an Active Directory account and if we could get that path in the Group Policy editor then we would be all set.  
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
regsampAuthor Commented:
The second link is not really viable for our situation.  A group policy that would prevent four specific users from getting to the Interent would be the ideal solution as we are going to be upgrading our firewall/router/proxy very soon.  
0
 
JoeCommented:
Thats is a GPO setting

User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.

then place the 4 users in the OU you want this applied. And set it to 127.0.0.1
0
 
conradieCommented:
You may also want to check out the "MACHINE POLICY/Administrative Templates\System\Internet Communication Management | Restrict Internet communication" GPO Object, and read this article about it: http://www.gpanswers.com/community/viewtopic.php?p=2351&sid=7b46a94fd29bf9fe91a840ad62bd4c42

Seems like it may accomplish exactly what you need.

 
0
 
stevew1Commented:
Create an OU, put the users you want to restrict in this OU. Then create a group policy "User Configuration\Windows Settings\Software restrictions\  click on action and create a new software restriction policy. Under Additional Rules create a new hash rule to disallow iexplore.exe
0
 
stevew1Commented:
Actually you can disregard my comment above. It seems this works in reverse of what I thought. If you set the default security to disallowed it will disallow every program. You would have to create rules for the programs you wanted to allow, Might work if you only wanted to allow a few programs.
0
 
regsampAuthor Commented:
"Thats is a GPO setting

User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.

then place the 4 users in the OU you want this applied. And set it to 127.0.0.1"

This seems like it may work and just want to make sure I have this right, 1.  Active Directory Users and Computers, 2.  Properties/Group Policy, 3.  Add settings above and how are just the 4 users being added so that nobody else is affected?  
0
 
regsampAuthor Commented:
Disregard the above.  I need to create an OU and add the above settings and then add the users to it as the other method would add it, correct?  
0
 
JoeCommented:
what you could do is make a new OU add your 4 users change those settings and you could block policy inheritance on that OU if you wanted to.
0
 
IdeasUnknownSystem AdministratorCommented:
If you are using GPMC 1.0.2 (Group Policy Management Console 1.0.2) which you should be if you are using Windows Server 2003 you can add a new GPO at the Domain Level as such.

1. Login to a/the Domain Controller.
2. Start -> Run
3. In the "Open" box type "gpmc.msc" (without the quotes) and press the "OK" button.
4. Right click your domain container.
5. Select "Create and Link a GPO here...".
6. In the "Name" box type a descriptive name, such as "Blocked Internet Custom Instructions", and press the "OK" button.
7. Find and select the new GPO in the left pane under your domain container.
8. In the middle pane on the right side labeled "Security Filtering" remove the default groupings and users and add the Active Directory account names (3) that you want blocked from the internet.
9. Right click the new GPO in the left pane and select "Edit" from the menu.
10. Please see regsamp's post above for the correct hierarchy for the settings you want and need.
11. Sit back and enjoy being a bad ass network administrator.

Hope that helps!
0
 
regsampAuthor Commented:
I created a new OU, added the 4 users and changed the settings to
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
And set it to 127.0.0.1.  Blocked policy inheritance on that OU and it is working great, Thank you.  
0
 
JoeCommented:
Glad to have helped :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now