Re: per machine instead of per users
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 01/20/05
- Next message: Hollis D. Paul: "Re: SUS on XP"
- Previous message: Cary Shultz [A.D. MVP]: "Re: Grant Application Access with a GPO"
- In reply to: frank: "per machine instead of per users"
- Next in thread: frank: "Re: per machine instead of per users"
- Reply: frank: "Re: per machine instead of per users"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 19 Jan 2005 23:08:39 -0500
Frank,
Please tell us how you are doing what you are doing! There are a couple of
ways to do this.....Also, the assumption is that you are running WIN2000
Active Directory with either WIN2000 Pro or WINXP Pro clients.
One way that you might consider would be as follows:
Create a security group called 'nointernet' - or whatever - and make the
appropriate domain user account objects members of that group. Then, create
an Organizational Unit and move those domain user account objects into that
OU. This might not be possible - or very difficult based on your current
setup and other GPOs. There are ways around this.....
Then, create a GPO that is linked to this OU ( the one that you just created
and contains the individual domain user account objects ) whereby you give a
fake proxy address ( IP Address ) -A*N*D- you disable the user's ability to
change this IP Address. So, if you have a 192.168.1.x IP scheme in your
single subnet environment you could use 172.16.102.208, for example, as the
proxy address. This is done on the user configuration side of things.
Specifically, you would go to User Configuration | Windows Settings |
Internet Explorer Maintenance | Connection -------- Proxy Settings to add
the 'fake' IP Address and then go to User Configuration | Administrative
Templates | Internet Explorer --------Disable Changing Proxy Settings to,
err, disable the users from changing the 'fake' proxy settings. Why did you
create the security group from above? Well, if you can not move the users
who should be affected ( it seems as though you have some users who should
be able to access the Internet as well as some users who should not be able
to access the Internet ) by this GPO to a separate OU then simply link this
GPO to the OU that contains your user account objects and simply go to the
Security tab of the GPO, remove the Authenticated Users group and add your
'Nointernet' group. Make sure that you give this group READ and APPLY GROUP
POLICY....In fact, I would suggest that you create the security group anyway
and get rid of the Authenticated Users group anyway....BTW - this is called
Group Filtering and is a bit more advanced.
So, this will affect the users only - regardless of which computer they are
using. It will not affect any 'Administrator' account as it/they would not
be members of the 'Nointernet' security group!
Now, this will affect the users. Okay! I am repeating myself. You would
also like this based on which computer a user is using at the moment. Like
I said above, it does not matter what computer the user is using....the GPO
affects only the users!
To do this based on computers, you would need to look at Loopback Processing
in Replace Mode. You would simply create an OU and move the computer account
objects to be affected into that OU. You then create the GPO and link it to
that OU. It sounds all very similar. Well, loopback changes the way that
GPOs are processed. This will be exactly what you need to resolve your
'computer based' need. You would just have to make sure that you explicitly
deny Domain Admins - or similar - the APPLY GROUP POLICY.
So, now you have the two GPOs that will cover all three of your needs!
Got it?
-- Cary W. Shultz Roanoke, VA 24014 Microsoft Active Directory MVP http://www.activedirectory-win2000.com http://www.grouppolicy-win2000.com "frank" <frank@discussions.microsoft.com> wrote in message news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com... >I need help please. > I want to accomplish the following: > I want restrict stations by netbios name not access the internet. > I want administrator able go to this phsyical stations and able to get > internet access > I have three gpo rules: > rule 1 call userinternet here I have internetgroup and choice per user. > > rule2: nointernet stop same as above except this time I stop internet > access > > Both these rules work great > > rule 3 a group computer by netbois namecomputers are restricted internet > with exception administrators. > > The problems lies when one my users who have internet rights can access > the > internet from this physical pc. I ultmatly want this physical station not > to > surf no matter who sighn on with exception of administrator. > > How is this possible please help >
- Next message: Hollis D. Paul: "Re: SUS on XP"
- Previous message: Cary Shultz [A.D. MVP]: "Re: Grant Application Access with a GPO"
- In reply to: frank: "per machine instead of per users"
- Next in thread: frank: "Re: per machine instead of per users"
- Reply: frank: "Re: per machine instead of per users"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
