Re: Internet restriction

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 11/20/04

  • Next message: Cary Shultz [A.D. MVP]: "Re: Office 2003 deployed by GP" 
    Date: Sat, 20 Nov 2004 07:44:30 -0500

    Yes,

    And the security group that you would use in the Group Filtering would be
    the 'Normal users'. Why that group? Because we want the members of this
    group to be affected by the GPO that we just created. So, remove the
    Authenticated Users group from the Security Tab on the GPO and replace it
    with the security group "Normal Users" ( I would call it 'No Internet' or
    something more descriptive so that you would be able to remember what the
    purpose of this group is six months down the road. I would also document
    this in the Description field of the group so that it is right there! ) and
    make sure that you give this group the READ and APPLY GROUP POLICY. You
    would not need to create - well, not for this GPO anyway - the 'Team
    Leaders' group. Were you to add this group to the Security tab of the GPO
    and give it the two rights mentioned then the members of this security group
    would fall under the Scope of Management of this GPO and they, too, would
    not be able to access the Internet!

    Ken's suggestion is probably the best route to take if this would not create
    too many problems with your current setup.

    What you want to try to do is to setup your Organizational Units in such a
    way that any GPOs that you need to create can either be linked to the
    'parent' OU ( 'Staff' in his example, for any policies that need to affect
    everyone ) or to the specific OU ( 'Employees' in the layout that Ken
    created for you ). This way you minimize the number of links that you have
    and - more importantly - you minimize your need to make use of Group
    Filtering. In a well thought-out OU design you would have minimized links
    and almost zero use of Group Filtering.

    My initial response - and I should have mentioned it at the time of the
    response - was simply a possible solution to your specific question. I was
    a bit remiss in addressing the larger issue. Well, I kinda mentioned
    it.....

    Anyway, if possible I might take a look at the OU design and at what GPOs
    you currently have ( and whom they affect and to what OU they are linked )
    and see if you might want to consider redesigning things. However, we do
    not have a lot of information on your environment so a re-thinking of the OU
    design might not be necessary. That is your call.

    HTH,

    Cary

    "Srikrishna" <Srikrishna@discussions.microsoft.com> wrote in message
    news:9C9157A5-A707-4108-AD75-82DEADDA5C9C@microsoft.com...
    > so in security group which i created ,contains the members are
    >
    > normal users ( which do not allow internet) OR
    > Team Leaders (which can allow internet)
    >
    > Thanks,
    > srikrishna
    >
    > "Cary Shultz [A.D. MVP]" wrote:
    >
    > > Srikrishna,
    > >
    > > You could very easily accomplish this. One way would be to install ISA
    > > 2000. This would be a good way to do this. However, it would require
    some
    > > cash outlay ( possibly for both hardware and software so probably not a
    very
    > > interesting suggestion, then ).
    > >
    > > Another way that you could accomplish this is to use Group Policy. Now,
    > > since all of your user account objects are in one OU this would require
    us
    > > to make use of a more advanced area known as Group Filtering. We will
    get
    > > to that in a second.
    > >
    > > And, before we go on this is based on WIN2000 Active Directory with
    WIN2000
    > > Pro and WINXP Pro clients. If you have WIN9x or WINNT 4.0 clients then
    this
    > > will not work.
    > >
    > > So, we need to do three things in your case:
    > >
    > > 1) create a 'fake' proxy address
    > > 2) disable the users ability to change this
    > > 3) use a security group to selectively filter to which user account
    objects
    > > this will apply
    > >
    > > So, for the first 'thing' you would need to create and link the GPO to
    the
    > > OU that contains all of your user account objects. This should be the
    easy
    > > part! Simply right click on the OU, select New | Organizational Unit
    and
    > > then give it a friendly name ( such as 'No Internet Access' ).
    > >
    > > Technically, the GPO has just been created. However, it is blank. So
    we
    > > need to click on the Edit... button and navigate to User Configuration |
    > > Windows Settings | Internet Explorer Maintenance | Connections and then
    in
    > > the right panel we want to double-click on Proxy Settings. Simply enter
    in
    > > a fake IP Address ( so, if you have a 192.168.1.x network you might want
    to
    > > enter 172.16.10.34 or 192.168.56.109 as the proxy address ). This will
    make
    > > it pretty difficult for your users to access the Internet!
    > >
    > > But, this is just the first part. As it stands now they could still
    > > right-click on Internet Explorer, select Properties and go to the
    > > Connections tab and change it to something valid or completely remove
    it.
    > > We can not allow this. So, we need to make sure that they can not
    access
    > > the Connections tab. How do we do this? Very simply! Simply navigate
    to
    > > User Configuration | Administrative Templates | Windows Components |
    > > Internet Control Panel and in the right pane we want to enable the
    'Disable
    > > the connections page' entry. So, now they can not access that tab to
    change
    > > the proxy address. This is good. We have just done what you needed to
    do.
    > >
    > > But, there is still one little problem. This is going to affect each
    and
    > > every domain user account object that directly resides in the OU to
    which
    > > you have linked the 'No Internet Access' GPO. You do not want the team
    > > leaders to be affected by this GPO. How do we ensure that this happens.
    > >
    > > By default, there is a security group called 'Authenticated Users' that
    has
    > > both READ and APPLY GROUP POLICY rights to each and every GPO that you
    > > create. 'Authenticated Users' contains all user account objects and
    > > computer account objects. We are applying this to the user
    configuration
    > > side so we are not worried about the computer account objects. However,
    all
    > > of the user account objects will fall under the Scope of Management of
    this
    > > GPO. We do not want this ( and I assume that you do not want to move
    these
    > > 'team leaders' to another OU as you probably have other GPOs linked to
    this
    > > OU ).
    > >
    > > So, go to the Security tab of this GPO and remove the Authenticated
    Users
    > > security group. Simply replace it with a security group ( possibly one
    that
    > > you will need to create ) that has all of the user account objects that
    you
    > > want affected by this GPO as members. Do not forget to give this
    security
    > > group both the READ and APPLY GROUP POLICY rights.
    > >
    > > Now you are done.
    > >
    > > HTH,
    > >
    > > Cary
    > >
    > >
    > >
    > > "Srikrishna" <Srikrishna@discussions.microsoft.com> wrote in message
    > > news:E5DF976C-9AF9-44EB-8C0D-B45B1316CAEC@microsoft.com...
    > > > HI every body,
    > > >
    > > > I have one OU,In this all employees is there and team leaders also.
    > > > HOw to apply GPO , for allow internet for only team leaders and deny
    all
    > > > employees??
    > > >
    > > > i know the option is there if we seperate with two differenet OU's .
    > > >
    > > > But i want to know is it possible to implement with in one OU ?
    > > >
    > > > Thanks
    > > > srikrishna
    > >
    > >
    > >

  • Next message: Cary Shultz [A.D. MVP]: "Re: Office 2003 deployed by GP"
    Loading