Link to home
Create AccountLog in
Avatar of jimmyswinger
jimmyswingerFlag for United States of America

asked on

Prevent students from changing any wireless network settings

Hi,

I am trying to figure out how to prevent a school full of apparently deviant minded students hell bent on showing off how they can change wireless networks to unsecured ones in the neighborhood...

I have researched this pretty extensively on Expert's Exchange and Microsoft Technet, but I can't seem to find the correct answer... Here is what I know:

1) I have hudden the wireless icon from students but as soon as they disable the wireless adapter (there is a button above the keyboard on the laptop to do this), the wireless icon shows up and they can then then "View Available Wireless Networks".
2) I want to prevent students from:
    a) Accessing wireless settings
    b) Changing wireless networks (if subpoint a is met then this is moot!)

I would like to be able to do this via Group Policy, but I can't seem to make the Wireless Network Policies work in any way that appears to help.

Any suggestions?

Thanks in advance - I really appreciate
Avatar of davesgonebananas
davesgonebananas
Flag of United Kingdom of Great Britain and Northern Ireland image

Yes you may be able to make use of the Wireless Network Policies Extension for Group Policy.  It requres at minimum, one domain controller running a Microsoft Windows Server 2003 operating system. The Wireless Network Policies Extension is supported on client computers running Windows XP Professional (Service Pack 1 and later) and using IEEE 802.11 access with IEEE 802.1x authentication in a wireless network.

http://technet.microsoft.com/en-us/library/cc787465.aspx
Avatar of johnb6767
Are they standard User accounts?
Avatar of jimmyswinger

ASKER

I'm researching the same thing, and I've not found a good solution even after searching for a few hours! You'd think this would be a huge issue and that it would be easy as cake to find an answer on this!! Alas,

I decided that I am going to use Windows Steadystate for it's disk protection features - basically it allows you to set up the computer in such a way that any changes a user makes are discarded and everything snaps back into place after you reboot the computer. I am only just beginning to dig in to this but it looks like it might have the desired results.

Here is a link that you may find useful:
http://social.microsoft.com/forums/en-US/windowssteadystate/thread/085c6519-f111-4679-89d5-b1baa0634c32/

Pesky students! ;)
thanks for the sharing
Steady State is great for kiosk and public type PC's so it should work for you in what you are currently looking to accomplish...

Silly thought.... Have you tried to add "DENY rights to the kids user's group? Guessing you might have a "Students" group or similar?
ASKER CERTIFIED SOLUTION
Avatar of jimmyswinger
jimmyswinger
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
PS, I did not use steadystate - It would have required my reimaging each machine on the network. Maybe next year.
I had the same problem and recently came up with a solution.

regedit:
navigate to HKLM\Software\Microsoft\WZCSVC
right-click->permissions->select SYSTEM->Advanced->Select System->edit
Deny:Set Value, Create Subkey, create link, delete, write DAC, Write Owner

navigate to HKLM\Software\Microsoft\EAPOL
right-click->permissions->select SYSTEM->Advanced->Select System->edit
Deny:Set Value, Create Subkey, create link, delete, write DAC, Write Owner

To undo, select Deny policy->edit->clear all

If you wanted to automate or deploy, there's a setacl.exe on sourceforge and you can use:
SetACL.exe -on "HKLM\SOFTWARE\Microsoft\EAPOL" -ot reg -actn ace -ace "n:SYSTEM;p:set_val,create_subkey,create_link,delete,write_dacl,write_owner;s:n;m:deny;w:dacl"
SetACL.exe -on "HKLM\SOFTWARE\Microsoft\WZCSVC" -ot reg -actn ace -ace "n:SYSTEM;p:set_val,create_subkey,create_link,delete,write_dacl,write_owner;s:n;m:deny;w:dacl"