per machine instead of per users

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I need help please.
I want to accomplish the following:
I want restrict stations by netbios name not access the internet.
I want administrator able go to this phsyical stations and able to get
internet access
I have three gpo rules:
rule 1 call userinternet here I have internetgroup and choice per user.

rule2: nointernet stop same as above except this time I stop internet access

Both these rules work great

rule 3 a group computer by netbois namecomputers are restricted internet
with exception administrators.

The problems lies when one my users who have internet rights can access the
internet from this physical pc. I ultmatly want this physical station not to
surf no matter who sighn on with exception of administrator.

How is this possible please help
6 answers Last reply
More about machine users
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Frank,

    Please tell us how you are doing what you are doing! There are a couple of
    ways to do this.....Also, the assumption is that you are running WIN2000
    Active Directory with either WIN2000 Pro or WINXP Pro clients.

    One way that you might consider would be as follows:

    Create a security group called 'nointernet' - or whatever - and make the
    appropriate domain user account objects members of that group. Then, create
    an Organizational Unit and move those domain user account objects into that
    OU. This might not be possible - or very difficult based on your current
    setup and other GPOs. There are ways around this.....

    Then, create a GPO that is linked to this OU ( the one that you just created
    and contains the individual domain user account objects ) whereby you give a
    fake proxy address ( IP Address ) -A*N*D- you disable the user's ability to
    change this IP Address. So, if you have a 192.168.1.x IP scheme in your
    single subnet environment you could use 172.16.102.208, for example, as the
    proxy address. This is done on the user configuration side of things.
    Specifically, you would go to User Configuration | Windows Settings |
    Internet Explorer Maintenance | Connection -------- Proxy Settings to add
    the 'fake' IP Address and then go to User Configuration | Administrative
    Templates | Internet Explorer --------Disable Changing Proxy Settings to,
    err, disable the users from changing the 'fake' proxy settings. Why did you
    create the security group from above? Well, if you can not move the users
    who should be affected ( it seems as though you have some users who should
    be able to access the Internet as well as some users who should not be able
    to access the Internet ) by this GPO to a separate OU then simply link this
    GPO to the OU that contains your user account objects and simply go to the
    Security tab of the GPO, remove the Authenticated Users group and add your
    'Nointernet' group. Make sure that you give this group READ and APPLY GROUP
    POLICY....In fact, I would suggest that you create the security group anyway
    and get rid of the Authenticated Users group anyway....BTW - this is called
    Group Filtering and is a bit more advanced.

    So, this will affect the users only - regardless of which computer they are
    using. It will not affect any 'Administrator' account as it/they would not
    be members of the 'Nointernet' security group!

    Now, this will affect the users. Okay! I am repeating myself. You would
    also like this based on which computer a user is using at the moment. Like
    I said above, it does not matter what computer the user is using....the GPO
    affects only the users!

    To do this based on computers, you would need to look at Loopback Processing
    in Replace Mode. You would simply create an OU and move the computer account
    objects to be affected into that OU. You then create the GPO and link it to
    that OU. It sounds all very similar. Well, loopback changes the way that
    GPOs are processed. This will be exactly what you need to resolve your
    'computer based' need. You would just have to make sure that you explicitly
    deny Domain Admins - or similar - the APPLY GROUP POLICY.

    So, now you have the two GPOs that will cover all three of your needs!

    Got it?

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "frank" <frank@discussions.microsoft.com> wrote in message
    news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com...
    >I need help please.
    > I want to accomplish the following:
    > I want restrict stations by netbios name not access the internet.
    > I want administrator able go to this phsyical stations and able to get
    > internet access
    > I have three gpo rules:
    > rule 1 call userinternet here I have internetgroup and choice per user.
    >
    > rule2: nointernet stop same as above except this time I stop internet
    > access
    >
    > Both these rules work great
    >
    > rule 3 a group computer by netbois namecomputers are restricted internet
    > with exception administrators.
    >
    > The problems lies when one my users who have internet rights can access
    > the
    > internet from this physical pc. I ultmatly want this physical station not
    > to
    > surf no matter who sighn on with exception of administrator.
    >
    > How is this possible please help
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I did excatlly what you suggested. However user who have rights to internet
    still go to the phsyical machine and surf. I want stop this machine with the
    exception of administrator.

    If any knows how to do this please help


    "Cary Shultz [A.D. MVP]" wrote:

    > Frank,
    >
    > Please tell us how you are doing what you are doing! There are a couple of
    > ways to do this.....Also, the assumption is that you are running WIN2000
    > Active Directory with either WIN2000 Pro or WINXP Pro clients.
    >
    > One way that you might consider would be as follows:
    >
    > Create a security group called 'nointernet' - or whatever - and make the
    > appropriate domain user account objects members of that group. Then, create
    > an Organizational Unit and move those domain user account objects into that
    > OU. This might not be possible - or very difficult based on your current
    > setup and other GPOs. There are ways around this.....
    >
    > Then, create a GPO that is linked to this OU ( the one that you just created
    > and contains the individual domain user account objects ) whereby you give a
    > fake proxy address ( IP Address ) -A*N*D- you disable the user's ability to
    > change this IP Address. So, if you have a 192.168.1.x IP scheme in your
    > single subnet environment you could use 172.16.102.208, for example, as the
    > proxy address. This is done on the user configuration side of things.
    > Specifically, you would go to User Configuration | Windows Settings |
    > Internet Explorer Maintenance | Connection -------- Proxy Settings to add
    > the 'fake' IP Address and then go to User Configuration | Administrative
    > Templates | Internet Explorer --------Disable Changing Proxy Settings to,
    > err, disable the users from changing the 'fake' proxy settings. Why did you
    > create the security group from above? Well, if you can not move the users
    > who should be affected ( it seems as though you have some users who should
    > be able to access the Internet as well as some users who should not be able
    > to access the Internet ) by this GPO to a separate OU then simply link this
    > GPO to the OU that contains your user account objects and simply go to the
    > Security tab of the GPO, remove the Authenticated Users group and add your
    > 'Nointernet' group. Make sure that you give this group READ and APPLY GROUP
    > POLICY....In fact, I would suggest that you create the security group anyway
    > and get rid of the Authenticated Users group anyway....BTW - this is called
    > Group Filtering and is a bit more advanced.
    >
    > So, this will affect the users only - regardless of which computer they are
    > using. It will not affect any 'Administrator' account as it/they would not
    > be members of the 'Nointernet' security group!
    >
    > Now, this will affect the users. Okay! I am repeating myself. You would
    > also like this based on which computer a user is using at the moment. Like
    > I said above, it does not matter what computer the user is using....the GPO
    > affects only the users!
    >
    > To do this based on computers, you would need to look at Loopback Processing
    > in Replace Mode. You would simply create an OU and move the computer account
    > objects to be affected into that OU. You then create the GPO and link it to
    > that OU. It sounds all very similar. Well, loopback changes the way that
    > GPOs are processed. This will be exactly what you need to resolve your
    > 'computer based' need. You would just have to make sure that you explicitly
    > deny Domain Admins - or similar - the APPLY GROUP POLICY.
    >
    > So, now you have the two GPOs that will cover all three of your needs!
    >
    > Got it?
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "frank" <frank@discussions.microsoft.com> wrote in message
    > news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com...
    > >I need help please.
    > > I want to accomplish the following:
    > > I want restrict stations by netbios name not access the internet.
    > > I want administrator able go to this phsyical stations and able to get
    > > internet access
    > > I have three gpo rules:
    > > rule 1 call userinternet here I have internetgroup and choice per user.
    > >
    > > rule2: nointernet stop same as above except this time I stop internet
    > > access
    > >
    > > Both these rules work great
    > >
    > > rule 3 a group computer by netbois namecomputers are restricted internet
    > > with exception administrators.
    > >
    > > The problems lies when one my users who have internet rights can access
    > > the
    > > internet from this physical pc. I ultmatly want this physical station not
    > > to
    > > surf no matter who sighn on with exception of administrator.
    > >
    > > How is this possible please help
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Frank,

    Did you do all the things that I suggested? I promise you that if you use
    loopback correctly ( which I am going to assume that you did not ) then the
    users would not have access to the Internet ( read: have the fake proxy IP
    Address ) when logging onto the computers that are under the Scope of
    Management of the loopback ( hint: need to use replace mode.....not merge!
    This might be your error ).

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "frank" <frank@discussions.microsoft.com> wrote in message
    news:460AC715-FE93-4963-9DAE-667B7B1E9BC7@microsoft.com...
    >I did excatlly what you suggested. However user who have rights to internet
    > still go to the phsyical machine and surf. I want stop this machine with
    > the
    > exception of administrator.
    >
    > If any knows how to do this please help
    >
    >
    > "Cary Shultz [A.D. MVP]" wrote:
    >
    >> Frank,
    >>
    >> Please tell us how you are doing what you are doing! There are a couple
    >> of
    >> ways to do this.....Also, the assumption is that you are running WIN2000
    >> Active Directory with either WIN2000 Pro or WINXP Pro clients.
    >>
    >> One way that you might consider would be as follows:
    >>
    >> Create a security group called 'nointernet' - or whatever - and make the
    >> appropriate domain user account objects members of that group. Then,
    >> create
    >> an Organizational Unit and move those domain user account objects into
    >> that
    >> OU. This might not be possible - or very difficult based on your current
    >> setup and other GPOs. There are ways around this.....
    >>
    >> Then, create a GPO that is linked to this OU ( the one that you just
    >> created
    >> and contains the individual domain user account objects ) whereby you
    >> give a
    >> fake proxy address ( IP Address ) -A*N*D- you disable the user's ability
    >> to
    >> change this IP Address. So, if you have a 192.168.1.x IP scheme in your
    >> single subnet environment you could use 172.16.102.208, for example, as
    >> the
    >> proxy address. This is done on the user configuration side of things.
    >> Specifically, you would go to User Configuration | Windows Settings |
    >> Internet Explorer Maintenance | Connection -------- Proxy Settings to add
    >> the 'fake' IP Address and then go to User Configuration | Administrative
    >> Templates | Internet Explorer --------Disable Changing Proxy Settings to,
    >> err, disable the users from changing the 'fake' proxy settings. Why did
    >> you
    >> create the security group from above? Well, if you can not move the
    >> users
    >> who should be affected ( it seems as though you have some users who
    >> should
    >> be able to access the Internet as well as some users who should not be
    >> able
    >> to access the Internet ) by this GPO to a separate OU then simply link
    >> this
    >> GPO to the OU that contains your user account objects and simply go to
    >> the
    >> Security tab of the GPO, remove the Authenticated Users group and add
    >> your
    >> 'Nointernet' group. Make sure that you give this group READ and APPLY
    >> GROUP
    >> POLICY....In fact, I would suggest that you create the security group
    >> anyway
    >> and get rid of the Authenticated Users group anyway....BTW - this is
    >> called
    >> Group Filtering and is a bit more advanced.
    >>
    >> So, this will affect the users only - regardless of which computer they
    >> are
    >> using. It will not affect any 'Administrator' account as it/they would
    >> not
    >> be members of the 'Nointernet' security group!
    >>
    >> Now, this will affect the users. Okay! I am repeating myself. You
    >> would
    >> also like this based on which computer a user is using at the moment.
    >> Like
    >> I said above, it does not matter what computer the user is using....the
    >> GPO
    >> affects only the users!
    >>
    >> To do this based on computers, you would need to look at Loopback
    >> Processing
    >> in Replace Mode. You would simply create an OU and move the computer
    >> account
    >> objects to be affected into that OU. You then create the GPO and link it
    >> to
    >> that OU. It sounds all very similar. Well, loopback changes the way
    >> that
    >> GPOs are processed. This will be exactly what you need to resolve your
    >> 'computer based' need. You would just have to make sure that you
    >> explicitly
    >> deny Domain Admins - or similar - the APPLY GROUP POLICY.
    >>
    >> So, now you have the two GPOs that will cover all three of your needs!
    >>
    >> Got it?
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24014
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "frank" <frank@discussions.microsoft.com> wrote in message
    >> news:206DF769-7A25-4928-A6A1-6D2C07E8F6C5@microsoft.com...
    >> >I need help please.
    >> > I want to accomplish the following:
    >> > I want restrict stations by netbios name not access the internet.
    >> > I want administrator able go to this phsyical stations and able to get
    >> > internet access
    >> > I have three gpo rules:
    >> > rule 1 call userinternet here I have internetgroup and choice per user.
    >> >
    >> > rule2: nointernet stop same as above except this time I stop internet
    >> > access
    >> >
    >> > Both these rules work great
    >> >
    >> > rule 3 a group computer by netbois namecomputers are restricted
    >> > internet
    >> > with exception administrators.
    >> >
    >> > The problems lies when one my users who have internet rights can access
    >> > the
    >> > internet from this physical pc. I ultmatly want this physical station
    >> > not
    >> > to
    >> > surf no matter who sighn on with exception of administrator.
    >> >
    >> > How is this possible please help
    >> >
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I might have not made myself clear here:

    I already have a rule that works that a "nointernet user" does not matter
    which computer they go to they will not access the internet. Then I have a
    second rule which has "internet user" and it does not matter which computer
    they go to they have internet access. It excatlly the same steps by fake out
    the ip with the noninternet users. Thes two rules works great. Now I have 20
    physical computers and I want these phsyical computers having no internet
    usage at all no matter who sign in except for administrator.

    Even when I tryed your steps the users with "internet access" can go to
    these 20 pc at still get internet and I want the "internet access group"
    restrict when go to these 20 pc

    You rules do not work they are the same as mine and only work with 2 of 3
    rules.
    I would like 3 of 3 anyone who knows how to do this third rule where I can
    restrict these 20 pc even if the user is in "internet allow group" that would
    be great.

    And fyi: I have try create a computernointernet group put these 20pc in that
    group and then creating a ou move the 20 computers in that ou and then link
    the gpo rule to ou.
    Guess what the user with internet access rights can still go to any these 20
    computer and access internet

    So how do I get these 20 pc no internet access no matter who sign on expect
    for administrator sorry to repeat myself but I just make clear excatlly what
    I need.


    Thanks for any help in advance

    "frank" wrote:

    > I need help please.
    > I want to accomplish the following:
    > I want restrict stations by netbios name not access the internet.
    > I want administrator able go to this phsyical stations and able to get
    > internet access
    > I have three gpo rules:
    > rule 1 call userinternet here I have internetgroup and choice per user.
    >
    > rule2: nointernet stop same as above except this time I stop internet access
    >
    > Both these rules work great
    >
    > rule 3 a group computer by netbois namecomputers are restricted internet
    > with exception administrators.
    >
    > The problems lies when one my users who have internet rights can access the
    > internet from this physical pc. I ultmatly want this physical station not to
    > surf no matter who sighn on with exception of administrator.
    >
    > How is this possible please help
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi,

    >I ultmatly want this physical station not to surf no matter who sighn
    >on with exception of administrator.

    If the fake Proxy settings don’t work for you (Great idea by the way
    but only works for IE) my advice is to buy a firewall. I recommend ISA
    as you can restrict Internet Access via user group or computer or
    both. However, there are nice free linux firewalls out there but I
    don’t know linux so I can’t recommend one.

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Group-Policy-machine-users-ftopict253150.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=783137
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Laura,

    IPCop would be the free Linux Firewall that I know off of the top of my
    head!

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:41f1f2af$1_3@alt.athenanews.com...
    > Hi,
    >
    >>I ultmatly want this physical station not to surf no matter who sighn
    >>on with exception of administrator.
    >
    > If the fake Proxy settings don't work for you (Great idea by the way
    > but only works for IE) my advice is to buy a firewall. I recommend ISA
    > as you can restrict Internet Access via user group or computer or
    > both. However, there are nice free linux firewalls out there but I
    > don't know linux so I can't recommend one.
    >
    > Cheers,
    >
    > Lara
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Group-Policy-machine-users-ftopict253150.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=783137
Ask a new question

Read More

Internet Access Microsoft Internet Windows