regsamp
asked on
Group policy question
We have a Windows 2003 network and we would like to setup a group policy for three specific Active Directory accounts, not to be able to access the Internet. What is the path, quickest and easist method to setup a group policy to block these three accounts from accessing the Internet? Any assistance offered would be greatly appreciated.
ASKER
The link was okay but I know there is a way to block Interent Access to an Active Directory account and if we could get that path in the Group Policy editor then we would be all set.
ASKER
The second link is not really viable for our situation. A group policy that would prevent four specific users from getting to the Interent would be the ideal solution as we are going to be upgrading our firewall/router/proxy very soon.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
You may also want to check out the "MACHINE POLICY/Administrative Templates\System\Internet Communication Management | Restrict Internet communication" GPO Object, and read this article about it: http://www.gpanswers.com/community/viewtopic.php?p=2351&sid=7b46a94fd29bf9fe91a840ad62bd4c42
Seems like it may accomplish exactly what you need.
Seems like it may accomplish exactly what you need.
Create an OU, put the users you want to restrict in this OU. Then create a group policy "User Configuration\Windows Settings\Software restrictions\ click on action and create a new software restriction policy. Under Additional Rules create a new hash rule to disallow iexplore.exe
Actually you can disregard my comment above. It seems this works in reverse of what I thought. If you set the default security to disallowed it will disallow every program. You would have to create rules for the programs you wanted to allow, Might work if you only wanted to allow a few programs.
ASKER
"Thats is a GPO setting
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
then place the 4 users in the OU you want this applied. And set it to 127.0.0.1"
This seems like it may work and just want to make sure I have this right, 1. Active Directory Users and Computers, 2. Properties/Group Policy, 3. Add settings above and how are just the 4 users being added so that nobody else is affected?
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
then place the 4 users in the OU you want this applied. And set it to 127.0.0.1"
This seems like it may work and just want to make sure I have this right, 1. Active Directory Users and Computers, 2. Properties/Group Policy, 3. Add settings above and how are just the 4 users being added so that nobody else is affected?
ASKER
Disregard the above. I need to create an OU and add the above settings and then add the users to it as the other method would add it, correct?
what you could do is make a new OU add your 4 users change those settings and you could block policy inheritance on that OU if you wanted to.
If you are using GPMC 1.0.2 (Group Policy Management Console 1.0.2) which you should be if you are using Windows Server 2003 you can add a new GPO at the Domain Level as such.
1. Login to a/the Domain Controller.
2. Start -> Run
3. In the "Open" box type "gpmc.msc" (without the quotes) and press the "OK" button.
4. Right click your domain container.
5. Select "Create and Link a GPO here...".
6. In the "Name" box type a descriptive name, such as "Blocked Internet Custom Instructions", and press the "OK" button.
7. Find and select the new GPO in the left pane under your domain container.
8. In the middle pane on the right side labeled "Security Filtering" remove the default groupings and users and add the Active Directory account names (3) that you want blocked from the internet.
9. Right click the new GPO in the left pane and select "Edit" from the menu.
10. Please see regsamp's post above for the correct hierarchy for the settings you want and need.
11. Sit back and enjoy being a bad ass network administrator.
Hope that helps!
1. Login to a/the Domain Controller.
2. Start -> Run
3. In the "Open" box type "gpmc.msc" (without the quotes) and press the "OK" button.
4. Right click your domain container.
5. Select "Create and Link a GPO here...".
6. In the "Name" box type a descriptive name, such as "Blocked Internet Custom Instructions", and press the "OK" button.
7. Find and select the new GPO in the left pane under your domain container.
8. In the middle pane on the right side labeled "Security Filtering" remove the default groupings and users and add the Active Directory account names (3) that you want blocked from the internet.
9. Right click the new GPO in the left pane and select "Edit" from the menu.
10. Please see regsamp's post above for the correct hierarchy for the settings you want and need.
11. Sit back and enjoy being a bad ass network administrator.
Hope that helps!
ASKER
I created a new OU, added the 4 users and changed the settings to
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
And set it to 127.0.0.1. Blocked policy inheritance on that OU and it is working great, Thank you.
User Settings -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
You will probably also want to Disable changing proxy settings:
User Settings --> Administrative Templates --> Windows Components --> Internet Explorer.
And set it to 127.0.0.1. Blocked policy inheritance on that OU and it is working great, Thank you.
Glad to have helped :)
https://www.experts-exchange.com/questions/21140446/Block-Internet-Access-to-a-user-using-Group-Policy-on-a-2003-Domain.html?query=GPO+to+block+internet+access&clearTAFilter=true