AD and Networkt Access

  • Thread starter Thread starter ldd
  • Start date Start date
L

ldd

Hi all,

I intend to move from workgroup to a AD config. However I faced a problem.

Is there anyway I can allow my users to connect to access network network
resources(file sharing, Internet, Email) only when he logons on to the AD
domain,

however if he logs on to his own computer only, he does not have any network
acccess?

Thanks
ld
 
In
ldd said:
Hi all,

I intend to move from workgroup to a AD config. However I faced a
problem.

Is there anyway I can allow my users to connect to access network
network resources(file sharing, Internet, Email) only when he logons
on to the AD domain,

however if he logs on to his own computer only, he does not have any
network acccess?

Thanks
ld
Click to expand...

Unless he's logged on locally with a user account that is spelled exactly
the same as the domain account along with the password or he/she can use a
secondary logon by rt-clicking, select run-as, provide the domain
credentials. ALso with mapped drives, you can specify an account other than
the logged on account to connect to the share.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Oh... What I want is to allow him to access the network only when he is
logged on to the domain, if he is logged on locally no network access is
allowed

Can this be done?
..
"Ace Fekay [MVP]"
 
In
ldd said:
Oh... What I want is to allow him to access the network only when he
is logged on to the domain, if he is logged on locally no network
access is allowed

Can this be done?
.
Click to expand...
Access the Internet or are you talking about totally disabling accessing any
network resource, even the Internet? Any machine is a network client and
totally disabling it doesn't seem feasible. You could go into the local
group policy (gpedit.msc) and force a rogue Proxy server (under admin
templates, IE) to disable Internet Explorer's ability but you would have to
make sure that in the domain policy or at least the GPO on the OU where the
user account exits that you set it to a real one or none at all so it
overrides it when he/she logs into the domain.

Is this what you mean?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Oh...I mean it would be best if we can disable network access completely if
logged on locally, but seems that u are right, we guess I will only disable
access to the Internet.

What abt email... can emailbe the same? Only allow email to be downloaded or
sent when logged on to the domain, but other than that user cannot send or
download email.

Thanks


"Ace Fekay [MVP]"
 
ldd said:
Oh...I mean it would be best if we can disable network access completely if
logged on locally, but seems that u are right, we guess I will only disable
access to the Internet.

What abt email... can emailbe the same? Only allow email to be downloaded or
sent when logged on to the domain, but other than that user cannot send or
download email.

Thanks
Click to expand...

For mail, the best way is to use your internal (if you have one) Exchange
server as "Exchange Services" (as a MAPI client) and not a pop account.
Exchange uses the logged on account as authentication. Otherwise, if a POP
account, doesn't look good.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Alright.. Thanks...Ace. In that case I will just block access to the
Internet access .


"Ace Fekay [MVP]"
 
I tried your advice. But unfortunately, it doesn't work.

I configured 3 options in local GPO on a notebook for testing.

1) Local Computer Policy->Computer Configuration->Administrative
Templates->Internet Explorer
Make proxy settings per-machine (rather than per-user) Enabled

2) Local Computer Policy->User Configuration->Windows Settings->Connection
Proxy Settings
Settings for proxy: Proxy 1.2.3.4 Port:808

3) Local Computer Policy->User Configuration->Administrative
Templates->Windows Component->Internet Explorer
Disable changing proxy settings Enabled

I configured 3 options in the domain GPO on a DC with changes only to
setting Proxy Settings to none(Unticked checked box).

The test >>

Initially when I logged on locally I wasn' t able to use IE as there was
proxy setting set to 1.2.3.4 which is what I want.

Then I logged off and I logged on to my domain and I was able to use IE
since the proxy field was blank.

Now after I logged off again and logged on locally, I was still able to use
IE(the proxy field was still blank).

By right, I shouldn' t be able to use IE. But when I run gpedit.msc locally,
the proxy setting was still 1.2.3.4 with port 808.....

Am I missing out something?


"Ace Fekay [MVP]"
 
In
ldd said:
I tried your advice. But unfortunately, it doesn't work.

I configured 3 options in local GPO on a notebook for testing.

1) Local Computer Policy->Computer Configuration->Administrative
Templates->Internet Explorer
Make proxy settings per-machine (rather than per-user) Enabled

2) Local Computer Policy->User Configuration->Windows
Settings->Connection Proxy Settings
Settings for proxy: Proxy 1.2.3.4 Port:808

3) Local Computer Policy->User Configuration->Administrative
Templates->Windows Component->Internet Explorer
Disable changing proxy settings Enabled

I configured 3 options in the domain GPO on a DC with changes only to
setting Proxy Settings to none(Unticked checked box).

The test >>

Initially when I logged on locally I wasn' t able to use IE as there
was proxy setting set to 1.2.3.4 which is what I want.

Then I logged off and I logged on to my domain and I was able to use
IE since the proxy field was blank.

Now after I logged off again and logged on locally, I was still able
to use IE(the proxy field was still blank).

By right, I shouldn' t be able to use IE. But when I run gpedit.msc
locally, the proxy setting was still 1.2.3.4 with port 808.....

Am I missing out something?


"Ace Fekay [MVP]"
Click to expand...

Did you try to refresh the settings?
If w2k,use:
secedit /refreshpolicy machine_policy /enforce

If XP Pro, use:
gpupdate

See if that helps.

It should have worked automatically. However, if that command works for you,
you could put that into a simple logon script for local accounts.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top