Link to home
Create AccountLog in
Avatar of regsamp
regsamp

asked on

Group policy question

We have a Windows 2003 network and we would like to setup a group policy for three specific Active Directory accounts, not to be able to access the Internet.  What is the path, quickest and easist method to setup a group policy to block these three accounts from accessing the Internet?  Any assistance offered would be greatly appreciated.  
Avatar of Joe
Joe
Flag of United States of America image

Avatar of regsamp
regsamp

ASKER

The link was okay but I know there is a way to block Interent Access to an Active Directory account and if we could get that path in the Group Policy editor then we would be all set.  
Avatar of regsamp

ASKER

The second link is not really viable for our situation.  A group policy that would prevent four specific users from getting to the Interent would be the ideal solution as we are going to be upgrading our firewall/router/proxy very soon.  
ASKER CERTIFIED SOLUTION
Avatar of Joe
Joe
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Ken Conradie
You may also want to check out the "MACHINE POLICY/Administrative Templates\System\Internet Communication Management | Restrict Internet communication" GPO Object, and read this article about it: http://www.gpanswers.com/community/viewtopic.php?p=2351&sid=7b46a94fd29bf9fe91a840ad62bd4c42

Seems like it may accomplish exactly what you need.

 
Create an OU, put the users you want to restrict in this OU. Then create a group policy "User Configuration\Windows Settings\Software restrictions\  click on action and create a new software restriction policy. Under Additional Rules create a new hash rule to disallow iexplore.exe
Actually you can disregard my comment above. It seems this works in reverse of what I thought. If you set the default security to disallowed it will disallow every program. You would have to create rules for the programs you wanted to allow, Might work if you only wanted to allow a few programs.
Avatar of regsamp

ASKER

"Thats is a GPO setting

User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings

You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.

then place the 4 users in the OU you want this applied. And set it to 127.0.0.1"

This seems like it may work and just want to make sure I have this right, 1.  Active Directory Users and Computers, 2.  Properties/Group Policy, 3.  Add settings above and how are just the 4 users being added so that nobody else is affected?  
Avatar of regsamp

ASKER

Disregard the above.  I need to create an OU and add the above settings and then add the users to it as the other method would add it, correct?  
what you could do is make a new OU add your 4 users change those settings and you could block policy inheritance on that OU if you wanted to.
If you are using GPMC 1.0.2 (Group Policy Management Console 1.0.2) which you should be if you are using Windows Server 2003 you can add a new GPO at the Domain Level as such.

1. Login to a/the Domain Controller.
2. Start -> Run
3. In the "Open" box type "gpmc.msc" (without the quotes) and press the "OK" button.
4. Right click your domain container.
5. Select "Create and Link a GPO here...".
6. In the "Name" box type a descriptive name, such as "Blocked Internet Custom Instructions", and press the "OK" button.
7. Find and select the new GPO in the left pane under your domain container.
8. In the middle pane on the right side labeled "Security Filtering" remove the default groupings and users and add the Active Directory account names (3) that you want blocked from the internet.
9. Right click the new GPO in the left pane and select "Edit" from the menu.
10. Please see regsamp's post above for the correct hierarchy for the settings you want and need.
11. Sit back and enjoy being a bad ass network administrator.

Hope that helps!
Avatar of regsamp

ASKER

I created a new OU, added the 4 users and changed the settings to
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
And set it to 127.0.0.1.  Blocked policy inheritance on that OU and it is working great, Thank you.  
Glad to have helped :)