Re: per machine instead of per users
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 01/21/05
- Next message: Job: "How to manage Users and Computers"
- Previous message: Marcy Daeffler: "Local Policy overiding Group Policy"
- In reply to: frank: "Re: per machine instead of per users"
- Next in thread: frank: "RE: per machine instead of per users"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 20 Jan 2005 20:02:21 -0500
Frank,
Did you do all the things that I suggested? I promise you that if you use
loopback correctly ( which I am going to assume that you did not ) then the
users would not have access to the Internet ( read: have the fake proxy IP
Address ) when logging onto the computers that are under the Scope of
Management of the loopback ( hint: need to use replace mode.....not merge!
This might be your error ).
-- Cary W. Shultz Roanoke, VA 24014 Microsoft Active Directory MVP http://www.activedirectory-win2000.com http://www.grouppolicy-win2000.com "frank" <frank@discussions.microsoft.com> wrote in message news:460AC715-FE93-4963-9DAE-667B7B1E9BC7@microsoft.com... >I did excatlly what you suggested. However user who have rights to internet > still go to the phsyical machine and surf. I want stop this machine with > the > exception of administrator. > > If any knows how to do this please help > > > "Cary Shultz [A.D. MVP]" wrote: > >> Frank, >> >> Please tell us how you are doing what you are doing! There are a couple >> of >> ways to do this.....Also, the assumption is that you are running WIN2000 >> Active Directory with either WIN2000 Pro or WINXP Pro clients. >> >> One way that you might consider would be as follows: >> >> Create a security group called 'nointernet' - or whatever - and make the >> appropriate domain user account objects members of that group. Then, >> create >> an Organizational Unit and move those domain user account objects into >> that >> OU. This might not be possible - or very difficult based on your current >> setup and other GPOs. There are ways around this..... >> >> Then, create a GPO that is linked to this OU ( the one that you just >> created >> and contains the individual domain user account objects ) whereby you >> give a >> fake proxy address ( IP Address ) -A*N*D- you disable the user's ability >> to >> change this IP Address. So, if you have a 192.168.1.x IP scheme in your >> single subnet environment you could use 172.16.102.208, for example, as >> the >> proxy address. This is done on the user configuration side of things. >> Specifically, you would go to User Configuration | Windows Settings | >> Internet Explorer Maintenance | Connection -------- Proxy Settings to add >> the 'fake' IP Address and then go to User Configuration | Administrative >> Templates | Internet Explorer --------Disable Changing Proxy Settings to, >> err, disable the users from changing the 'fake' proxy settings. Why did >> you >> create the security group from above? Well, if you can not move the >> users >> who should be affected ( it seems as though you have some users who >> should >> be able to access the Internet as well as some users who should not be >> able >> to access the Internet ) by this GPO to a separate OU then simply link >> this >> GPO to the OU that contains your user account objects and simply go to >> the >> Security tab of the GPO, remove the Authenticated Users group and add >> your >> 'Nointernet' group. Make sure that you give this group READ and APPLY >> GROUP >> POLICY....In fact, I would suggest that you create the security group >> anyway >> and get rid of the Authenticated Users group anyway....BTW - this is >> called >> Group Filtering and is a bit more advanced. >> >> So, this will affect the users only - regardless of which computer they >> are >> using. It will not affect any 'Administrator' account as it/they would >> not >> be members of the 'Nointernet' security group! >> >> Now, this will affect the users. Okay! I am repeating myself. You >> would >> also like this based on which computer a user is using at the moment. >> Like >> I said above, it does not matter what computer the user is using....the >> GPO >> affects only the users! >> >> To do this based on computers, you would need to look at Loopback >> Processing >> in Replace Mode. You would simply create an OU and move the computer >> account >> objects to be affected into that OU. You then create the GPO and link it >> to >> that OU. It sounds all very similar. Well, loopback changes the way >> that >> GPOs are processed. This will be exactly what you need to resolve your >> 'computer based' need. You would just have to make sure that you >> explicitly >> deny Domain Admins - or similar - the APPLY GROUP POLICY. >> >> So, now you have the two GPOs that will cover all three of your needs! >> >> Got it? >> >> -- >> Cary W. Shultz >> Roanoke, VA 24014 >> Microsoft Active Directory MVP >> >> http://www.activedirectory-win2000.com >> http://www.grouppolicy-win2000.com >> >> >> >> "frank" <frank@discussions.microsoft.com> wrote in message >> news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com... >> >I need help please. >> > I want to accomplish the following: >> > I want restrict stations by netbios name not access the internet. >> > I want administrator able go to this phsyical stations and able to get >> > internet access >> > I have three gpo rules: >> > rule 1 call userinternet here I have internetgroup and choice per user. >> > >> > rule2: nointernet stop same as above except this time I stop internet >> > access >> > >> > Both these rules work great >> > >> > rule 3 a group computer by netbois namecomputers are restricted >> > internet >> > with exception administrators. >> > >> > The problems lies when one my users who have internet rights can access >> > the >> > internet from this physical pc. I ultmatly want this physical station >> > not >> > to >> > surf no matter who sighn on with exception of administrator. >> > >> > How is this possible please help >> > >> >> >>
- Next message: Job: "How to manage Users and Computers"
- Previous message: Marcy Daeffler: "Local Policy overiding Group Policy"
- In reply to: frank: "Re: per machine instead of per users"
- Next in thread: frank: "RE: per machine instead of per users"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
