Different policy for logon locally

[Oliver]

I'm having the following challenge which I must come up with a solution; I
could not find a way to do this so I guess its time to ask the experts



We have a few people in our organization that for various reasons are
working off personal laptops and for various political reasons no one has
the power to stop this (inside company politic don't even ask why), so since
its ones private laptop I cant really control nor implement company policies
on these machines yet I was told to control it while they use it inside out
network, so my first thought was.ok ill have them join the domain and they
can choose to either logon locally when home and logon to the network at
work, turned out that it didn't really work all that well, let me explain,
first here is the list I must accomplish as per Mr. big boss while connected
to the network



1) restrict all games

2) block all chat programs

3) remove auto hide feature from taskbar

4) remove power management

5) disable offline folders

6) remove and disable the 'show hidden files and folders' from the
folder options

7) disable internet access when logged on locally (the only way to
force them to logon to the network



Ok let's review one by one



1) Restrict all games

For this I utilized the 'Software Restriction Policy' which worked perfectly
well, the problem was that the restriction was in place even the user was
logged on locally from home, and I'm not allowed to restrict someone private
life, problem number one



2) Block all chat program

Well much like everyone else I turned to my firewall for help just to find
out that most chat clients these will always outsmart the firewall
(connecting over port 80 who would of though of that) so once again I
utilized 'Software Restriction Policy' for all chat programs, but once again
I was facing the same issue as described in problem one



3) Remove auto hide

I was only able to find a setting the disable access to the entire taskbar,
anything else?



4) Remove Power Management

No policy setting for that, so again a registry hack, so I guess would have
to find a way to modify the registry (doable?) will the setting stick around
whey they logon locally?



6) disable the 'show hidden files and folders'

I was able to remove Folder Options from the Tools menu, but it didn't
actually remove the setting,



7) this is the key question, I know I could restrict internet access by
setting a fake proxy policy (is there a better solution) so how do I set it
up so that in only applies when they logon on locally while in the office,
and removed when they logon on the network, or perhaps an alternative, how
can I force the user to logon to the network so I can apply all the
policies, they currently don't even bother logging on, they map a drive to
the data and give the username and password

 

[Oliver]

ok I think as far as the SRP, I may have enabled it on the Computer
Configuration, ill remove it and re-do it on the User Config, that should
take care of that, still need help with the other stuff, so now the SRP will
not kick in unless they logon which I still don't know how to make this
possible

 

[Steven L Umbach]

I have to wonder how are you going to force a user to logon to the domain??
If they can logon to their local computer they can bypass any user
configuration settings you enforce for domain users. A user does not have to
logon to the domain to access domain resources [as you indicated] as long as
they have credentials on the domain though ipsec policies can prevent any
user on a non domain computer from accessing domain resources that have an
ipsec "require" policy. Assuming you can force them to logon to the domain
then you can implement most of what you need to do. Software Restriction
Policy can be configured in user configuration but I don't believe you can
do that in a W2K domain - only computer configuration which is why you are
experiencing the problems you are as computer configuration Group Policy
applies to ALL users that logon to a domain computer..

As far as internet access if you configure proxy settings via user
configuration, it should not apply when a user logs on locally. The bottom
line is however that you can not force a user to logon to the domain if they
can logon to the local computer. You can however force a user to not logon
locally if they are not a local admin and then they can logon only with
cached domain credentials when not connected to the domain BUT they will
still have domain user configuration Group Policy applied. In other words I
can not see any way for you to do what you have been ordered to do - sorry.
The bigger concern is that non secured computers that very well could
contain malware including back doors are connected to your network. The real
solution is to issue these users company laptops and then lock them down per
policy. Unfortunately I doubt they would be open to that idea from what you
describe. --- Steve

 

[Oliver]

Thanks Steven for your response, I guess I will pass along your information,
what about the other things, how can I accomplish removing power management
and disable show hidden folders (not just removing Folder Options since it
doesnt disable it), assuming I could get them to logon to the network

I have to wonder how are you going to force a user to logon to the domain??
If they can logon to their local computer they can bypass any user
configuration settings you enforce for domain users. A user does not have
to logon to the domain to access domain resources [as you indicated] as
long as they have credentials on the domain though ipsec policies can
prevent any user on a non domain computer from accessing domain resources
that have an ipsec "require" policy. Assuming you can force them to logon
to the domain then you can implement most of what you need to do. Software
Restriction Policy can be configured in user configuration but I don't
believe you can do that in a W2K domain - only computer configuration which
is why you are experiencing the problems you are as computer configuration
Group Policy applies to ALL users that logon to a domain computer..

As far as internet access if you configure proxy settings via user
configuration, it should not apply when a user logs on locally. The bottom
line is however that you can not force a user to logon to the domain if
they can logon to the local computer. You can however force a user to not
logon locally if they are not a local admin and then they can logon only
with cached domain credentials when not connected to the domain BUT they
will still have domain user configuration Group Policy applied. In other
words I can not see any way for you to do what you have been ordered to
do - sorry. The bigger concern is that non secured computers that very
well could contain malware including back doors are connected to your
network. The real solution is to issue these users company laptops and
then lock them down per policy. Unfortunately I doubt they would be open
to that idea from what you describe. --- Steve

I'm having the following challenge which I must come up with a solution;
I could not find a way to do this so I guess its time to ask the experts



We have a few people in our organization that for various reasons are
working off personal laptops and for various political reasons no one has
the power to stop this (inside company politic don't even ask why), so
since its ones private laptop I cant really control nor implement company
policies on these machines yet I was told to control it while they use it
inside out network, so my first thought was.ok ill have them join the
domain and they can choose to either logon locally when home and logon to
the network at work, turned out that it didn't really work all that well,
let me explain, first here is the list I must accomplish as per Mr. big
boss while connected to the network



1) restrict all games

2) block all chat programs

3) remove auto hide feature from taskbar

4) remove power management

5) disable offline folders

6) remove and disable the 'show hidden files and folders' from the
folder options

7) disable internet access when logged on locally (the only way to
force them to logon to the network



Ok let's review one by one



1) Restrict all games

For this I utilized the 'Software Restriction Policy' which worked
perfectly well, the problem was that the restriction was in place even
the user was logged on locally from home, and I'm not allowed to restrict
someone private life, problem number one



2) Block all chat program

Well much like everyone else I turned to my firewall for help just to
find out that most chat clients these will always outsmart the firewall
(connecting over port 80 who would of though of that) so once again I
utilized 'Software Restriction Policy' for all chat programs, but once
again I was facing the same issue as described in problem one



3) Remove auto hide

I was only able to find a setting the disable access to the entire
taskbar, anything else?



4) Remove Power Management

No policy setting for that, so again a registry hack, so I guess would
have to find a way to modify the registry (doable?) will the setting
stick around whey they logon locally?



6) disable the 'show hidden files and folders'

I was able to remove Folder Options from the Tools menu, but it didn't
actually remove the setting,



7) this is the key question, I know I could restrict internet access by
setting a fake proxy policy (is there a better solution) so how do I set
it up so that in only applies when they logon on locally while in the
office, and removed when they logon on the network, or perhaps an
alternative, how can I force the user to logon to the network so I can
apply all the policies, they currently don't even bother logging on, they
map a drive to the data and give the username and password

 

[Steven Umbach]

I don't know of a way to disable show hidden folders once they have been
enabled. Usually you can use Group Policy to control that by removing folder
options before user has a chance to change it. I did find a link to a registry
setting that may help, though it looks as if it will apply to all users. As far
as power management, I have not tried it myself but see the link below to a free
product that may be able to help you. --- Steve

http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo -- ENERGY STAR's
free EZ GPO tool
http://www.theeldergeek.com/show_hidden_operating_system_files.htm

Thanks Steven for your response, I guess I will pass along your information,
what about the other things, how can I accomplish removing power management
and disable show hidden folders (not just removing Folder Options since it
doesnt disable it), assuming I could get them to logon to the network

I have to wonder how are you going to force a user to logon to the domain??
If they can logon to their local computer they can bypass any user
configuration settings you enforce for domain users. A user does not have
to logon to the domain to access domain resources [as you indicated] as
long as they have credentials on the domain though ipsec policies can
prevent any user on a non domain computer from accessing domain resources
that have an ipsec "require" policy. Assuming you can force them to logon
to the domain then you can implement most of what you need to do. Software
Restriction Policy can be configured in user configuration but I don't
believe you can do that in a W2K domain - only computer configuration which
is why you are experiencing the problems you are as computer configuration
Group Policy applies to ALL users that logon to a domain computer..

As far as internet access if you configure proxy settings via user
configuration, it should not apply when a user logs on locally. The bottom
line is however that you can not force a user to logon to the domain if
they can logon to the local computer. You can however force a user to not
logon locally if they are not a local admin and then they can logon only
with cached domain credentials when not connected to the domain BUT they
will still have domain user configuration Group Policy applied. In other
words I can not see any way for you to do what you have been ordered to
do - sorry. The bigger concern is that non secured computers that very
well could contain malware including back doors are connected to your
network. The real solution is to issue these users company laptops and
then lock them down per policy. Unfortunately I doubt they would be open
to that idea from what you describe. --- Steve

I'm having the following challenge which I must come up with a solution;
I could not find a way to do this so I guess its time to ask the experts



We have a few people in our organization that for various reasons are
working off personal laptops and for various political reasons no one has
the power to stop this (inside company politic don't even ask why), so
since its ones private laptop I cant really control nor implement company
policies on these machines yet I was told to control it while they use it
inside out network, so my first thought was.ok ill have them join the
domain and they can choose to either logon locally when home and logon to
the network at work, turned out that it didn't really work all that well,
let me explain, first here is the list I must accomplish as per Mr. big
boss while connected to the network



1) restrict all games

2) block all chat programs

3) remove auto hide feature from taskbar

4) remove power management

5) disable offline folders

6) remove and disable the 'show hidden files and folders' from the
folder options

7) disable internet access when logged on locally (the only way to
force them to logon to the network



Ok let's review one by one



1) Restrict all games

For this I utilized the 'Software Restriction Policy' which worked
perfectly well, the problem was that the restriction was in place even
the user was logged on locally from home, and I'm not allowed to restrict
someone private life, problem number one



2) Block all chat program

Well much like everyone else I turned to my firewall for help just to
find out that most chat clients these will always outsmart the firewall
(connecting over port 80 who would of though of that) so once again I
utilized 'Software Restriction Policy' for all chat programs, but once
again I was facing the same issue as described in problem one



3) Remove auto hide

I was only able to find a setting the disable access to the entire
taskbar, anything else?



4) Remove Power Management

No policy setting for that, so again a registry hack, so I guess would
have to find a way to modify the registry (doable?) will the setting
stick around whey they logon locally?



6) disable the 'show hidden files and folders'

I was able to remove Folder Options from the Tools menu, but it didn't
actually remove the setting,



7) this is the key question, I know I could restrict internet access by
setting a fake proxy policy (is there a better solution) so how do I set
it up so that in only applies when they logon on locally while in the
office, and removed when they logon on the network, or perhaps an
alternative, how can I force the user to logon to the network so I can
apply all the policies, they currently don't even bother logging on, they
map a drive to the data and give the username and password

 

[Oliver]

ok how about using RAS on my 2k3 box, ill make these laptops gateway to the
RAS, configure RAS to route, and allow specific users to be routed, this was
they will be forced to logon to use the internet, I guess ill ask the RAS
group

I don't know of a way to disable show hidden folders once they have been
enabled. Usually you can use Group Policy to control that by removing
folder
options before user has a chance to change it. I did find a link to a
registry
setting that may help, though it looks as if it will apply to all users.
As far
as power management, I have not tried it myself but see the link below to
a free
product that may be able to help you. --- Steve

http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo -- ENERGY
STAR's
free EZ GPO tool
http://www.theeldergeek.com/show_hidden_operating_system_files.htm

Thanks Steven for your response, I guess I will pass along your
information,
what about the other things, how can I accomplish removing power
management
and disable show hidden folders (not just removing Folder Options since
it
doesnt disable it), assuming I could get them to logon to the network

I have to wonder how are you going to force a user to logon to the
domain??
If they can logon to their local computer they can bypass any user
configuration settings you enforce for domain users. A user does not
have
to logon to the domain to access domain resources [as you indicated] as
long as they have credentials on the domain though ipsec policies can
prevent any user on a non domain computer from accessing domain
resources
that have an ipsec "require" policy. Assuming you can force them to
logon
to the domain then you can implement most of what you need to do.
Software
Restriction Policy can be configured in user configuration but I don't
believe you can do that in a W2K domain - only computer configuration
which
is why you are experiencing the problems you are as computer
configuration
Group Policy applies to ALL users that logon to a domain computer..

As far as internet access if you configure proxy settings via user
configuration, it should not apply when a user logs on locally. The
bottom
line is however that you can not force a user to logon to the domain if
they can logon to the local computer. You can however force a user to
not
logon locally if they are not a local admin and then they can logon
only
with cached domain credentials when not connected to the domain BUT
they
will still have domain user configuration Group Policy applied. In
other
words I can not see any way for you to do what you have been ordered to
do - sorry. The bigger concern is that non secured computers that very
well could contain malware including back doors are connected to your
network. The real solution is to issue these users company laptops and
then lock them down per policy. Unfortunately I doubt they would be
open
to that idea from what you describe. --- Steve



I'm having the following challenge which I must come up with a
solution;
I could not find a way to do this so I guess its time to ask the
experts



We have a few people in our organization that for various reasons are
working off personal laptops and for various political reasons no one
has
the power to stop this (inside company politic don't even ask why), so
since its ones private laptop I cant really control nor implement
company
policies on these machines yet I was told to control it while they use
it
inside out network, so my first thought was.ok ill have them join the
domain and they can choose to either logon locally when home and logon
to
the network at work, turned out that it didn't really work all that
well,
let me explain, first here is the list I must accomplish as per Mr.
big
boss while connected to the network



1) restrict all games

2) block all chat programs

3) remove auto hide feature from taskbar

4) remove power management

5) disable offline folders

6) remove and disable the 'show hidden files and folders' from
the
folder options

7) disable internet access when logged on locally (the only way
to
force them to logon to the network



Ok let's review one by one



1) Restrict all games

For this I utilized the 'Software Restriction Policy' which worked
perfectly well, the problem was that the restriction was in place even
the user was logged on locally from home, and I'm not allowed to
restrict
someone private life, problem number one



2) Block all chat program

Well much like everyone else I turned to my firewall for help just to
find out that most chat clients these will always outsmart the
firewall
(connecting over port 80 who would of though of that) so once again I
utilized 'Software Restriction Policy' for all chat programs, but once
again I was facing the same issue as described in problem one



3) Remove auto hide

I was only able to find a setting the disable access to the entire
taskbar, anything else?



4) Remove Power Management

No policy setting for that, so again a registry hack, so I guess would
have to find a way to modify the registry (doable?) will the setting
stick around whey they logon locally?



6) disable the 'show hidden files and folders'

I was able to remove Folder Options from the Tools menu, but it didn't
actually remove the setting,



7) this is the key question, I know I could restrict internet access
by
setting a fake proxy policy (is there a better solution) so how do I
set
it up so that in only applies when they logon on locally while in the
office, and removed when they logon on the network, or perhaps an
alternative, how can I force the user to logon to the network so I can
apply all the policies, they currently don't even bother logging on,
they
map a drive to the data and give the username and password

 

[Steven L Umbach]

You could try that but you will have to make sure that the users logon to
the remote access server via VPN by selecting the remote access connection
before they logon to their computer and you are back to the same dilemma of
how to force them to do that. If they logon to their computer first and
then connect to the VPN server, they will not receive logon Group
Policy. --- Steve

ok how about using RAS on my 2k3 box, ill make these laptops gateway to
the RAS, configure RAS to route, and allow specific users to be routed,
this was they will be forced to logon to use the internet, I guess ill ask
the RAS group

I don't know of a way to disable show hidden folders once they have been
enabled. Usually you can use Group Policy to control that by removing
folder
options before user has a chance to change it. I did find a link to a
registry
setting that may help, though it looks as if it will apply to all users.
As far
as power management, I have not tried it myself but see the link below to
a free
product that may be able to help you. --- Steve

http://www.energystar.gov/index.cfm?c=power_mgt.pr_pm_ez_gpo -- ENERGY
STAR's
free EZ GPO tool
http://www.theeldergeek.com/show_hidden_operating_system_files.htm

Thanks Steven for your response, I guess I will pass along your
information,
what about the other things, how can I accomplish removing power
management
and disable show hidden folders (not just removing Folder Options since
it
doesnt disable it), assuming I could get them to logon to the network

I have to wonder how are you going to force a user to logon to the
domain??
If they can logon to their local computer they can bypass any user
configuration settings you enforce for domain users. A user does not
have
to logon to the domain to access domain resources [as you indicated] as
long as they have credentials on the domain though ipsec policies can
prevent any user on a non domain computer from accessing domain
resources
that have an ipsec "require" policy. Assuming you can force them to
logon
to the domain then you can implement most of what you need to do.
Software
Restriction Policy can be configured in user configuration but I don't
believe you can do that in a W2K domain - only computer configuration
which
is why you are experiencing the problems you are as computer
configuration
Group Policy applies to ALL users that logon to a domain computer..

As far as internet access if you configure proxy settings via user
configuration, it should not apply when a user logs on locally. The
bottom
line is however that you can not force a user to logon to the domain
if
they can logon to the local computer. You can however force a user to
not
logon locally if they are not a local admin and then they can logon
only
with cached domain credentials when not connected to the domain BUT
they
will still have domain user configuration Group Policy applied. In
other
words I can not see any way for you to do what you have been ordered
to
do - sorry. The bigger concern is that non secured computers that very
well could contain malware including back doors are connected to your
network. The real solution is to issue these users company laptops and
then lock them down per policy. Unfortunately I doubt they would be
open
to that idea from what you describe. --- Steve



I'm having the following challenge which I must come up with a
solution;
I could not find a way to do this so I guess its time to ask the
experts



We have a few people in our organization that for various reasons are
working off personal laptops and for various political reasons no one
has
the power to stop this (inside company politic don't even ask why),
so
since its ones private laptop I cant really control nor implement
company
policies on these machines yet I was told to control it while they
use it
inside out network, so my first thought was.ok ill have them join the
domain and they can choose to either logon locally when home and
logon to
the network at work, turned out that it didn't really work all that
well,
let me explain, first here is the list I must accomplish as per Mr.
big
boss while connected to the network



1) restrict all games

2) block all chat programs

3) remove auto hide feature from taskbar

4) remove power management

5) disable offline folders

6) remove and disable the 'show hidden files and folders' from
the
folder options

7) disable internet access when logged on locally (the only way
to
force them to logon to the network



Ok let's review one by one



1) Restrict all games

For this I utilized the 'Software Restriction Policy' which worked
perfectly well, the problem was that the restriction was in place
even
the user was logged on locally from home, and I'm not allowed to
restrict
someone private life, problem number one



2) Block all chat program

Well much like everyone else I turned to my firewall for help just to
find out that most chat clients these will always outsmart the
firewall
(connecting over port 80 who would of though of that) so once again I
utilized 'Software Restriction Policy' for all chat programs, but
once
again I was facing the same issue as described in problem one



3) Remove auto hide

I was only able to find a setting the disable access to the entire
taskbar, anything else?



4) Remove Power Management

No policy setting for that, so again a registry hack, so I guess
would
have to find a way to modify the registry (doable?) will the setting
stick around whey they logon locally?



6) disable the 'show hidden files and folders'

I was able to remove Folder Options from the Tools menu, but it
didn't
actually remove the setting,



7) this is the key question, I know I could restrict internet access
by
setting a fake proxy policy (is there a better solution) so how do I
set
it up so that in only applies when they logon on locally while in the
office, and removed when they logon on the network, or perhaps an
alternative, how can I force the user to logon to the network so I
can
apply all the policies, they currently don't even bother logging on,
they
map a drive to the data and give the username and password