Sign in with
Sign up | Sign in
Your question

per machine instead of per users

Last response: in Windows 2000/NT
Share
January 19, 2005 2:31:06 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I need help please.
I want to accomplish the following:
I want restrict stations by netbios name not access the internet.
I want administrator able go to this phsyical stations and able to get
internet access
I have three gpo rules:
rule 1 call userinternet here I have internetgroup and choice per user.

rule2: nointernet stop same as above except this time I stop internet access

Both these rules work great

rule 3 a group computer by netbois namecomputers are restricted internet
with exception administrators.

The problems lies when one my users who have internet rights can access the
internet from this physical pc. I ultmatly want this physical station not to
surf no matter who sighn on with exception of administrator.

How is this possible please help

More about : machine users

Anonymous
January 20, 2005 2:08:39 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Frank,

Please tell us how you are doing what you are doing! There are a couple of
ways to do this.....Also, the assumption is that you are running WIN2000
Active Directory with either WIN2000 Pro or WINXP Pro clients.

One way that you might consider would be as follows:

Create a security group called 'nointernet' - or whatever - and make the
appropriate domain user account objects members of that group. Then, create
an Organizational Unit and move those domain user account objects into that
OU. This might not be possible - or very difficult based on your current
setup and other GPOs. There are ways around this.....

Then, create a GPO that is linked to this OU ( the one that you just created
and contains the individual domain user account objects ) whereby you give a
fake proxy address ( IP Address ) -A*N*D- you disable the user's ability to
change this IP Address. So, if you have a 192.168.1.x IP scheme in your
single subnet environment you could use 172.16.102.208, for example, as the
proxy address. This is done on the user configuration side of things.
Specifically, you would go to User Configuration | Windows Settings |
Internet Explorer Maintenance | Connection -------- Proxy Settings to add
the 'fake' IP Address and then go to User Configuration | Administrative
Templates | Internet Explorer --------Disable Changing Proxy Settings to,
err, disable the users from changing the 'fake' proxy settings. Why did you
create the security group from above? Well, if you can not move the users
who should be affected ( it seems as though you have some users who should
be able to access the Internet as well as some users who should not be able
to access the Internet ) by this GPO to a separate OU then simply link this
GPO to the OU that contains your user account objects and simply go to the
Security tab of the GPO, remove the Authenticated Users group and add your
'Nointernet' group. Make sure that you give this group READ and APPLY GROUP
POLICY....In fact, I would suggest that you create the security group anyway
and get rid of the Authenticated Users group anyway....BTW - this is called
Group Filtering and is a bit more advanced.

So, this will affect the users only - regardless of which computer they are
using. It will not affect any 'Administrator' account as it/they would not
be members of the 'Nointernet' security group!

Now, this will affect the users. Okay! I am repeating myself. You would
also like this based on which computer a user is using at the moment. Like
I said above, it does not matter what computer the user is using....the GPO
affects only the users!

To do this based on computers, you would need to look at Loopback Processing
in Replace Mode. You would simply create an OU and move the computer account
objects to be affected into that OU. You then create the GPO and link it to
that OU. It sounds all very similar. Well, loopback changes the way that
GPOs are processed. This will be exactly what you need to resolve your
'computer based' need. You would just have to make sure that you explicitly
deny Domain Admins - or similar - the APPLY GROUP POLICY.

So, now you have the two GPOs that will cover all three of your needs!

Got it?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"frank" <frank@discussions.microsoft.com> wrote in message
news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com...
>I need help please.
> I want to accomplish the following:
> I want restrict stations by netbios name not access the internet.
> I want administrator able go to this phsyical stations and able to get
> internet access
> I have three gpo rules:
> rule 1 call userinternet here I have internetgroup and choice per user.
>
> rule2: nointernet stop same as above except this time I stop internet
> access
>
> Both these rules work great
>
> rule 3 a group computer by netbois namecomputers are restricted internet
> with exception administrators.
>
> The problems lies when one my users who have internet rights can access
> the
> internet from this physical pc. I ultmatly want this physical station not
> to
> surf no matter who sighn on with exception of administrator.
>
> How is this possible please help
>
January 20, 2005 9:29:03 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I did excatlly what you suggested. However user who have rights to internet
still go to the phsyical machine and surf. I want stop this machine with the
exception of administrator.

If any knows how to do this please help


"Cary Shultz [A.D. MVP]" wrote:

> Frank,
>
> Please tell us how you are doing what you are doing! There are a couple of
> ways to do this.....Also, the assumption is that you are running WIN2000
> Active Directory with either WIN2000 Pro or WINXP Pro clients.
>
> One way that you might consider would be as follows:
>
> Create a security group called 'nointernet' - or whatever - and make the
> appropriate domain user account objects members of that group. Then, create
> an Organizational Unit and move those domain user account objects into that
> OU. This might not be possible - or very difficult based on your current
> setup and other GPOs. There are ways around this.....
>
> Then, create a GPO that is linked to this OU ( the one that you just created
> and contains the individual domain user account objects ) whereby you give a
> fake proxy address ( IP Address ) -A*N*D- you disable the user's ability to
> change this IP Address. So, if you have a 192.168.1.x IP scheme in your
> single subnet environment you could use 172.16.102.208, for example, as the
> proxy address. This is done on the user configuration side of things.
> Specifically, you would go to User Configuration | Windows Settings |
> Internet Explorer Maintenance | Connection -------- Proxy Settings to add
> the 'fake' IP Address and then go to User Configuration | Administrative
> Templates | Internet Explorer --------Disable Changing Proxy Settings to,
> err, disable the users from changing the 'fake' proxy settings. Why did you
> create the security group from above? Well, if you can not move the users
> who should be affected ( it seems as though you have some users who should
> be able to access the Internet as well as some users who should not be able
> to access the Internet ) by this GPO to a separate OU then simply link this
> GPO to the OU that contains your user account objects and simply go to the
> Security tab of the GPO, remove the Authenticated Users group and add your
> 'Nointernet' group. Make sure that you give this group READ and APPLY GROUP
> POLICY....In fact, I would suggest that you create the security group anyway
> and get rid of the Authenticated Users group anyway....BTW - this is called
> Group Filtering and is a bit more advanced.
>
> So, this will affect the users only - regardless of which computer they are
> using. It will not affect any 'Administrator' account as it/they would not
> be members of the 'Nointernet' security group!
>
> Now, this will affect the users. Okay! I am repeating myself. You would
> also like this based on which computer a user is using at the moment. Like
> I said above, it does not matter what computer the user is using....the GPO
> affects only the users!
>
> To do this based on computers, you would need to look at Loopback Processing
> in Replace Mode. You would simply create an OU and move the computer account
> objects to be affected into that OU. You then create the GPO and link it to
> that OU. It sounds all very similar. Well, loopback changes the way that
> GPOs are processed. This will be exactly what you need to resolve your
> 'computer based' need. You would just have to make sure that you explicitly
> deny Domain Admins - or similar - the APPLY GROUP POLICY.
>
> So, now you have the two GPOs that will cover all three of your needs!
>
> Got it?
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "frank" <frank@discussions.microsoft.com> wrote in message
> news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com...
> >I need help please.
> > I want to accomplish the following:
> > I want restrict stations by netbios name not access the internet.
> > I want administrator able go to this phsyical stations and able to get
> > internet access
> > I have three gpo rules:
> > rule 1 call userinternet here I have internetgroup and choice per user.
> >
> > rule2: nointernet stop same as above except this time I stop internet
> > access
> >
> > Both these rules work great
> >
> > rule 3 a group computer by netbois namecomputers are restricted internet
> > with exception administrators.
> >
> > The problems lies when one my users who have internet rights can access
> > the
> > internet from this physical pc. I ultmatly want this physical station not
> > to
> > surf no matter who sighn on with exception of administrator.
> >
> > How is this possible please help
> >
>
>
>
Related resources
Anonymous
January 20, 2005 11:02:21 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Frank,

Did you do all the things that I suggested? I promise you that if you use
loopback correctly ( which I am going to assume that you did not ) then the
users would not have access to the Internet ( read: have the fake proxy IP
Address ) when logging onto the computers that are under the Scope of
Management of the loopback ( hint: need to use replace mode.....not merge!
This might be your error ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"frank" <frank@discussions.microsoft.com> wrote in message
news:460AC715-FE93-4963-9DAE-667B7B1E9BC7@microsoft.com...
>I did excatlly what you suggested. However user who have rights to internet
> still go to the phsyical machine and surf. I want stop this machine with
> the
> exception of administrator.
>
> If any knows how to do this please help
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Frank,
>>
>> Please tell us how you are doing what you are doing! There are a couple
>> of
>> ways to do this.....Also, the assumption is that you are running WIN2000
>> Active Directory with either WIN2000 Pro or WINXP Pro clients.
>>
>> One way that you might consider would be as follows:
>>
>> Create a security group called 'nointernet' - or whatever - and make the
>> appropriate domain user account objects members of that group. Then,
>> create
>> an Organizational Unit and move those domain user account objects into
>> that
>> OU. This might not be possible - or very difficult based on your current
>> setup and other GPOs. There are ways around this.....
>>
>> Then, create a GPO that is linked to this OU ( the one that you just
>> created
>> and contains the individual domain user account objects ) whereby you
>> give a
>> fake proxy address ( IP Address ) -A*N*D- you disable the user's ability
>> to
>> change this IP Address. So, if you have a 192.168.1.x IP scheme in your
>> single subnet environment you could use 172.16.102.208, for example, as
>> the
>> proxy address. This is done on the user configuration side of things.
>> Specifically, you would go to User Configuration | Windows Settings |
>> Internet Explorer Maintenance | Connection -------- Proxy Settings to add
>> the 'fake' IP Address and then go to User Configuration | Administrative
>> Templates | Internet Explorer --------Disable Changing Proxy Settings to,
>> err, disable the users from changing the 'fake' proxy settings. Why did
>> you
>> create the security group from above? Well, if you can not move the
>> users
>> who should be affected ( it seems as though you have some users who
>> should
>> be able to access the Internet as well as some users who should not be
>> able
>> to access the Internet ) by this GPO to a separate OU then simply link
>> this
>> GPO to the OU that contains your user account objects and simply go to
>> the
>> Security tab of the GPO, remove the Authenticated Users group and add
>> your
>> 'Nointernet' group. Make sure that you give this group READ and APPLY
>> GROUP
>> POLICY....In fact, I would suggest that you create the security group
>> anyway
>> and get rid of the Authenticated Users group anyway....BTW - this is
>> called
>> Group Filtering and is a bit more advanced.
>>
>> So, this will affect the users only - regardless of which computer they
>> are
>> using. It will not affect any 'Administrator' account as it/they would
>> not
>> be members of the 'Nointernet' security group!
>>
>> Now, this will affect the users. Okay! I am repeating myself. You
>> would
>> also like this based on which computer a user is using at the moment.
>> Like
>> I said above, it does not matter what computer the user is using....the
>> GPO
>> affects only the users!
>>
>> To do this based on computers, you would need to look at Loopback
>> Processing
>> in Replace Mode. You would simply create an OU and move the computer
>> account
>> objects to be affected into that OU. You then create the GPO and link it
>> to
>> that OU. It sounds all very similar. Well, loopback changes the way
>> that
>> GPOs are processed. This will be exactly what you need to resolve your
>> 'computer based' need. You would just have to make sure that you
>> explicitly
>> deny Domain Admins - or similar - the APPLY GROUP POLICY.
>>
>> So, now you have the two GPOs that will cover all three of your needs!
>>
>> Got it?
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "frank" <frank@discussions.microsoft.com> wrote in message
>> news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com...
>> >I need help please.
>> > I want to accomplish the following:
>> > I want restrict stations by netbios name not access the internet.
>> > I want administrator able go to this phsyical stations and able to get
>> > internet access
>> > I have three gpo rules:
>> > rule 1 call userinternet here I have internetgroup and choice per user.
>> >
>> > rule2: nointernet stop same as above except this time I stop internet
>> > access
>> >
>> > Both these rules work great
>> >
>> > rule 3 a group computer by netbois namecomputers are restricted
>> > internet
>> > with exception administrators.
>> >
>> > The problems lies when one my users who have internet rights can access
>> > the
>> > internet from this physical pc. I ultmatly want this physical station
>> > not
>> > to
>> > surf no matter who sighn on with exception of administrator.
>> >
>> > How is this possible please help
>> >
>>
>>
>>
January 21, 2005 12:37:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I might have not made myself clear here:

I already have a rule that works that a "nointernet user" does not matter
which computer they go to they will not access the internet. Then I have a
second rule which has "internet user" and it does not matter which computer
they go to they have internet access. It excatlly the same steps by fake out
the ip with the noninternet users. Thes two rules works great. Now I have 20
physical computers and I want these phsyical computers having no internet
usage at all no matter who sign in except for administrator.

Even when I tryed your steps the users with "internet access" can go to
these 20 pc at still get internet and I want the "internet access group"
restrict when go to these 20 pc

You rules do not work they are the same as mine and only work with 2 of 3
rules.
I would like 3 of 3 anyone who knows how to do this third rule where I can
restrict these 20 pc even if the user is in "internet allow group" that would
be great.

And fyi: I have try create a computernointernet group put these 20pc in that
group and then creating a ou move the 20 computers in that ou and then link
the gpo rule to ou.
Guess what the user with internet access rights can still go to any these 20
computer and access internet

So how do I get these 20 pc no internet access no matter who sign on expect
for administrator sorry to repeat myself but I just make clear excatlly what
I need.


Thanks for any help in advance

"frank" wrote:

> I need help please.
> I want to accomplish the following:
> I want restrict stations by netbios name not access the internet.
> I want administrator able go to this phsyical stations and able to get
> internet access
> I have three gpo rules:
> rule 1 call userinternet here I have internetgroup and choice per user.
>
> rule2: nointernet stop same as above except this time I stop internet access
>
> Both these rules work great
>
> rule 3 a group computer by netbois namecomputers are restricted internet
> with exception administrators.
>
> The problems lies when one my users who have internet rights can access the
> internet from this physical pc. I ultmatly want this physical station not to
> surf no matter who sighn on with exception of administrator.
>
> How is this possible please help
>
Anonymous
January 22, 2005 4:29:03 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

>I ultmatly want this physical station not to surf no matter who sighn
>on with exception of administrator.

If the fake Proxy settings don’t work for you (Great idea by the way
but only works for IE) my advice is to buy a firewall. I recommend ISA
as you can restrict Internet Access via user group or computer or
both. However, there are nice free linux firewalls out there but I
don’t know linux so I can’t recommend one.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-machine-users...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=783137
Anonymous
January 22, 2005 5:10:36 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Laura,

IPCop would be the free Linux Firewall that I know off of the top of my
head!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41f1f2af$1_3@alt.athenanews.com...
> Hi,
>
>>I ultmatly want this physical station not to surf no matter who sighn
>>on with exception of administrator.
>
> If the fake Proxy settings don't work for you (Great idea by the way
> but only works for IE) my advice is to buy a firewall. I recommend ISA
> as you can restrict Internet Access via user group or computer or
> both. However, there are nice free linux firewalls out there but I
> don't know linux so I can't recommend one.
>
> Cheers,
>
> Lara
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Group-Policy-machine-users...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=783137
!