Solved

Is there a walkk around to by pass "Domain Group policy on wifi" ?

Posted on 2014-09-18
19
432 Views
Last Modified: 2014-09-24
Domain group policy(windows 2012 server ) applied on the clients ( windows 7) to prevent them using wifi, they got this message "your network administrator has blocked you from connecting to this network". Is there a walk around to by pass this policy from the user?
Thanks
0
Comment
Question by:Ihab
19 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 40329881
I'm sorry but i don't really understand the question.
You say that there is a policy in place that disables users to use the wifi network and now you would like them to be able to use it?
Or do you want to bypass this policy on your machine that an administrator has set?

If it is the first, yes this is possible, you should then disable the policy that disabled Wifi. You have access to those policies?

If it is the second, then no. If an administrator set up a policy there is no way around it.
0
 

Author Comment

by:Ihab
ID: 40329887
It is for testing purpose.
The policy applied from domain group policy
Can the user bypass the policy , if he is local admin on his windows 7 machine so he can use the wifi?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40329910
Nope he can't. If a policy is applied it will be applied to all users because normally (by default) a policy is applied to the Authenticated users group.

The only thing you can do is give this specific user you are testing with permissions on the GPO and give him (or her) explicit denied permissions on the apply policy. This way the policy will not be applied to this user. Do keep in mind that no setting from this policy will be applied because you are denying it explicitly.
0
 

Author Comment

by:Ihab
ID: 40329914
If I have a user traveled to another country and he is asking me to remove the policy from his laptop or reset the policy to the defaults , so he can connect to wifi ,knowing that he is local admin on his machine, is that possible?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40329921
Nope, still not possible.
The problem is that this policy was applied when he was logged onto the domain. And because this is a domain policy the user needs to have access to the network before he starts up the machine.

The only possible reason to get this fixed is the let the user use a VPN connection that can be established before login (select use dial-up connection to log into the domain) and after he is connected to the network let him do a GPUpdate /force. If the user can't make a VPN connection, has the policy applied and is not in the office there is no way of disabling it.


The only option that might just work (but i thought this doesn't work) is to create a local user account and log in with that local user account. It could be that the policies will not be applied then. You do have to check if this might be a possible workaround.
0
 
LVL 8

Expert Comment

by:Wilder_Admin
ID: 40329925
as a local admin you can overwrite policies with gpedit.msc if you know which switch he has to change he can do. Domain policies are only changing policies to a domain default but you can not prevent local admins to change them. Its a concept. 99% of all companies uses local admin on NB. But why??? If you goolge its a never ending story about.

By the way its USER CONFIGURATION / ADMINISTRATIVE TEMPLATE / NETWORK CONNECTION / Ability to enable/disable a LAN connection
0
 

Author Comment

by:Ihab
ID: 40329929
He loged in as local administrator in the machine , he opened the gpedite.msc but he cant find how to enable to connect to wifi, and the wifi still giving the same message " your network administrator has blocked...."
0
 

Author Comment

by:Ihab
ID: 40329931
@ wilder admin
How he can enable the wifi again with his local admin , please advise , or give more details or steps
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40329938
If he opened up the gpedit.msc he needs to go to the User Configuration and beneath the user configuration you have 3 options, 1 being Administrative Templates. After that he needs to go to Network, then to Network Connections and then choose "Ability to enable/disable a LAN connection" and set it to enable.

After that he needs to go to a command prompt and run gpupdate /force. After that let him reboot and he should be able to change the wifi setting.

Btw, do you have any idea what policy is applied on the policy in the domain??
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 

Author Comment

by:Ihab
ID: 40330002
Can you please check the pic what I got , it is still the same
20140918-130743.jpg
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40330006
These are the settings that need to be changed.


User Configuration -> Policies -> Administrative Templates -> Network/Network connections ->

Policy | Setting
Prohibit access to properties of a LAN connection  |  Enabled  
Prohibit access to properties of components of a remote access connection  |  Enabled  
Prohibit access to the Remote Access Preferences item on the Advanced menu  |  Enabled  
Prohibit connecting and disconnecting a remote access connection  |  Enabled  
I changed these to the following:

Policy | Setting

Prohibit access to properties of a LAN connection   |  Disabled  
Prohibit access to properties of components of a remote access connection   |  Disabled  
Prohibit access to the Remote Access Preferences item on the Advanced menu   |  Disabled  
Prohibit connecting and disconnecting a remote access connection   |  Disabled
0
 

Author Comment

by:Ihab
ID: 40330030
Still same
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40330034
Then i guess the domain policy will still be applied i'm afraid.. Did the user do a gpupdate /force and reboot?
0
 

Author Comment

by:Ihab
ID: 40330040
is there a way to reset the policy windows 7 to defaults ?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40330046
Not for as far as i know other than to reïnstall the machine.
Did you try to create a local account on the machine for the user?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40330155
the domain admin can create a policy strictly for that user (put the user in his own OU i.e. wirelessenabled and then create a group policy that allows the connection for that OU.
0
 

Author Comment

by:Ihab
ID: 40330484
@ Rhandel
I tried local admin , not working
@ david
I cant reach the domain, I mentioned it before
0
 

Accepted Solution

by:
Ihab earned 0 total points
ID: 40330594
As a one off you can go to Regedit and find Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wireless\GPTWirelessPolicy and find the policy file location in the PATH sting.
(not sure if it is always a .tmp file in c:\windows\wlansvc\policies)

Then edit that file (as admin) and delete:
<denyAllIBSS>true</denyAllIBSS>
<denyAllESS>false</denyAllESS>

Then save, exit and reboot (not connected to your network).
Settings will be reset on the next network logon or when reconnecting to the network after a while through the policies.
0
 

Author Closing Comment

by:Ihab
ID: 40341141
It works
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Folder Replication 4 59
Win 7 OS unable to install Win updates 3 136
Top cover replacement dell latitude d620 12 71
sync conflicts 1 55
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now