Re: per machine instead of per users
From: frank (frank_at_discussions.microsoft.com)
Date: 01/20/05
- Next message: Chris Coates: "How do I use a GPO to make a registry change?"
- Previous message: Timothy Hasty: "RE: Logon Script"
- In reply to: Cary Shultz [A.D. MVP]: "Re: per machine instead of per users"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: per machine instead of per users"
- Reply: Cary Shultz [A.D. MVP]: "Re: per machine instead of per users"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 20 Jan 2005 06:29:03 -0800
I did excatlly what you suggested. However user who have rights to internet
still go to the phsyical machine and surf. I want stop this machine with the
exception of administrator.
If any knows how to do this please help
"Cary Shultz [A.D. MVP]" wrote:
> Frank,
>
> Please tell us how you are doing what you are doing! There are a couple of
> ways to do this.....Also, the assumption is that you are running WIN2000
> Active Directory with either WIN2000 Pro or WINXP Pro clients.
>
> One way that you might consider would be as follows:
>
> Create a security group called 'nointernet' - or whatever - and make the
> appropriate domain user account objects members of that group. Then, create
> an Organizational Unit and move those domain user account objects into that
> OU. This might not be possible - or very difficult based on your current
> setup and other GPOs. There are ways around this.....
>
> Then, create a GPO that is linked to this OU ( the one that you just created
> and contains the individual domain user account objects ) whereby you give a
> fake proxy address ( IP Address ) -A*N*D- you disable the user's ability to
> change this IP Address. So, if you have a 192.168.1.x IP scheme in your
> single subnet environment you could use 172.16.102.208, for example, as the
> proxy address. This is done on the user configuration side of things.
> Specifically, you would go to User Configuration | Windows Settings |
> Internet Explorer Maintenance | Connection -------- Proxy Settings to add
> the 'fake' IP Address and then go to User Configuration | Administrative
> Templates | Internet Explorer --------Disable Changing Proxy Settings to,
> err, disable the users from changing the 'fake' proxy settings. Why did you
> create the security group from above? Well, if you can not move the users
> who should be affected ( it seems as though you have some users who should
> be able to access the Internet as well as some users who should not be able
> to access the Internet ) by this GPO to a separate OU then simply link this
> GPO to the OU that contains your user account objects and simply go to the
> Security tab of the GPO, remove the Authenticated Users group and add your
> 'Nointernet' group. Make sure that you give this group READ and APPLY GROUP
> POLICY....In fact, I would suggest that you create the security group anyway
> and get rid of the Authenticated Users group anyway....BTW - this is called
> Group Filtering and is a bit more advanced.
>
> So, this will affect the users only - regardless of which computer they are
> using. It will not affect any 'Administrator' account as it/they would not
> be members of the 'Nointernet' security group!
>
> Now, this will affect the users. Okay! I am repeating myself. You would
> also like this based on which computer a user is using at the moment. Like
> I said above, it does not matter what computer the user is using....the GPO
> affects only the users!
>
> To do this based on computers, you would need to look at Loopback Processing
> in Replace Mode. You would simply create an OU and move the computer account
> objects to be affected into that OU. You then create the GPO and link it to
> that OU. It sounds all very similar. Well, loopback changes the way that
> GPOs are processed. This will be exactly what you need to resolve your
> 'computer based' need. You would just have to make sure that you explicitly
> deny Domain Admins - or similar - the APPLY GROUP POLICY.
>
> So, now you have the two GPOs that will cover all three of your needs!
>
> Got it?
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "frank" <frank@discussions.microsoft.com> wrote in message
> news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com...
> >I need help please.
> > I want to accomplish the following:
> > I want restrict stations by netbios name not access the internet.
> > I want administrator able go to this phsyical stations and able to get
> > internet access
> > I have three gpo rules:
> > rule 1 call userinternet here I have internetgroup and choice per user.
> >
> > rule2: nointernet stop same as above except this time I stop internet
> > access
> >
> > Both these rules work great
> >
> > rule 3 a group computer by netbois namecomputers are restricted internet
> > with exception administrators.
> >
> > The problems lies when one my users who have internet rights can access
> > the
> > internet from this physical pc. I ultmatly want this physical station not
> > to
> > surf no matter who sighn on with exception of administrator.
> >
> > How is this possible please help
> >
>
>
>
- Next message: Chris Coates: "How do I use a GPO to make a registry change?"
- Previous message: Timothy Hasty: "RE: Logon Script"
- In reply to: Cary Shultz [A.D. MVP]: "Re: per machine instead of per users"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: per machine instead of per users"
- Reply: Cary Shultz [A.D. MVP]: "Re: per machine instead of per users"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
