We help IT Professionals succeed at work.

Group Policy to remove access to network connections


I've setup a group policy to prohibit access to the properties of a LAN connection and I can't seem to get it to work. I also set the same policy to remove Internet Options and Network Connections from the Control panel. Internet options has disappeared, but network connections hasn't (I used ncpa.cpl for network connections).

I've run a policy results wizard and it does appear to be working, but it's not..

Network/Network Connections
Policy Setting                                                                                          Winning GPO
Prohibit access to properties of a LAN connection Enabled                  Network & Control Panel
Prohibit access to properties of components of a LAN connection Enabled Network & Control Panel
Prohibit access to the Advanced Settings item on the Advanced menu Enabled Network & Control Panel
Prohibit adding and removing components for a LAN or remote access connection Enabled Network & Control Panel
Prohibit Enabling/Disabling components of a LAN connection Enabled Network & Control Panel
Prohibit TCP/IP advanced configuration Enabled Network & Control Panel

The user is only a member of domain users and there aren't any local policies affecting the machine. There are no GP errors in the event logs either.

Can someone point out what could be stopping this from working fully?


Watch Question

Mike ThomasConsultant
Top Expert 2010

Might be as simple as time, how long has it been since creating the policy? what OS is the clinet running? have you tried running gpupdate/force on the client?


I thought that but I created it yesterday and left it over night and part of the policy does appear to work partially(Internet options being removed from the control panel). The client OS is XP and I have tried gpupdate /force many a time, reboots, log offs, tried creating a seperate policy and nothing so far has stopped access to network connections :(
But did you try GPRESULT?... the policy is getting on that PC?... maybe is filtered out somehow or the targeted PC is not in the right OU?...


I didn't, forgot about that one ;) Still, here are the results on the client pc:

Applied Group Policy Objects
    Default Domain Policy
    Webroot DWP Install
    <b>Network & Control Panel<b>
    My Docs Re-direction
    Active Desktop
    Screen Saver Lockout
    Flash Install

The following GPOs were not applied because they were filtered out
    Small Business Server Remote Assistance Policy
        Filtering:  Disabled (GPO)

    Small Business Server Internet Connection Firewall
        Filtering:  Disabled (GPO)

    Windows Firewall Off
        Filtering:  Not Applied (Empty)

    Local Group Policy
        Filtering:  Not Applied (Empty)

The user is a part of the following security groups:
Ignore that, I've found the problem. The user has local admin rights over the machine (which is needed). After I removed this, the GPO applies fine.