Internet restriction

[Guest]

HI every body,

I have one OU,In this all employees is there and team leaders also.
HOw to apply GPO , for allow internet for only team leaders and deny all
employees??

i know the option is there if we seperate with two differenet OU's .

But i want to know is it possible to implement with in one OU ?

Thanks
srikrishna

 

[Ken B]

You would have to make the GPO, and change the ACL to Deny Read & Apply
Policy to the team leaders (either by individual or a security group).

A better solution, that I would use would be to rename the original OU,
create 2 sub-ous, so the structure would look like:
Domain
|
|- Staff
| |
| | - Team Leaders
| | - Employees
|
|

But that may not be possible based on your business constraints.

HTH

Ken

 

[Cary Shultz [A.D. MVP]]

Srikrishna,

You could very easily accomplish this. One way would be to install ISA
2000. This would be a good way to do this. However, it would require some
cash outlay ( possibly for both hardware and software so probably not a very
interesting suggestion, then ).

Another way that you could accomplish this is to use Group Policy. Now,
since all of your user account objects are in one OU this would require us
to make use of a more advanced area known as Group Filtering. We will get
to that in a second.

And, before we go on this is based on WIN2000 Active Directory with WIN2000
Pro and WINXP Pro clients. If you have WIN9x or WINNT 4.0 clients then this
will not work.

So, we need to do three things in your case:

1) create a 'fake' proxy address
2) disable the users ability to change this
3) use a security group to selectively filter to which user account objects
this will apply

So, for the first 'thing' you would need to create and link the GPO to the
OU that contains all of your user account objects. This should be the easy
part! Simply right click on the OU, select New | Organizational Unit and
then give it a friendly name ( such as 'No Internet Access' ).

Technically, the GPO has just been created. However, it is blank. So we
need to click on the Edit... button and navigate to User Configuration |
Windows Settings | Internet Explorer Maintenance | Connections and then in
the right panel we want to double-click on Proxy Settings. Simply enter in
a fake IP Address ( so, if you have a 192.168.1.x network you might want to
enter 172.16.10.34 or 192.168.56.109 as the proxy address ). This will make
it pretty difficult for your users to access the Internet!

But, this is just the first part. As it stands now they could still
right-click on Internet Explorer, select Properties and go to the
Connections tab and change it to something valid or completely remove it.
We can not allow this. So, we need to make sure that they can not access
the Connections tab. How do we do this? Very simply! Simply navigate to
User Configuration | Administrative Templates | Windows Components |
Internet Control Panel and in the right pane we want to enable the 'Disable
the connections page' entry. So, now they can not access that tab to change
the proxy address. This is good. We have just done what you needed to do.

But, there is still one little problem. This is going to affect each and
every domain user account object that directly resides in the OU to which
you have linked the 'No Internet Access' GPO. You do not want the team
leaders to be affected by this GPO. How do we ensure that this happens.

By default, there is a security group called 'Authenticated Users' that has
both READ and APPLY GROUP POLICY rights to each and every GPO that you
create. 'Authenticated Users' contains all user account objects and
computer account objects. We are applying this to the user configuration
side so we are not worried about the computer account objects. However, all
of the user account objects will fall under the Scope of Management of this
GPO. We do not want this ( and I assume that you do not want to move these
'team leaders' to another OU as you probably have other GPOs linked to this
OU ).

So, go to the Security tab of this GPO and remove the Authenticated Users
security group. Simply replace it with a security group ( possibly one that
you will need to create ) that has all of the user account objects that you
want affected by this GPO as members. Do not forget to give this security
group both the READ and APPLY GROUP POLICY rights.

Now you are done.

HTH,

Cary

 

[Guest]

so in security group which i created ,contains the members are

normal users ( which do not allow internet) OR
Team Leaders (which can allow internet)

Thanks,
srikrishna

 

[Cary Shultz [A.D. MVP]]

Yes,

And the security group that you would use in the Group Filtering would be
the 'Normal users'. Why that group? Because we want the members of this
group to be affected by the GPO that we just created. So, remove the
Authenticated Users group from the Security Tab on the GPO and replace it
with the security group "Normal Users" ( I would call it 'No Internet' or
something more descriptive so that you would be able to remember what the
purpose of this group is six months down the road. I would also document
this in the Description field of the group so that it is right there! ) and
make sure that you give this group the READ and APPLY GROUP POLICY. You
would not need to create - well, not for this GPO anyway - the 'Team
Leaders' group. Were you to add this group to the Security tab of the GPO
and give it the two rights mentioned then the members of this security group
would fall under the Scope of Management of this GPO and they, too, would
not be able to access the Internet!

Ken's suggestion is probably the best route to take if this would not create
too many problems with your current setup.

What you want to try to do is to setup your Organizational Units in such a
way that any GPOs that you need to create can either be linked to the
'parent' OU ( 'Staff' in his example, for any policies that need to affect
everyone ) or to the specific OU ( 'Employees' in the layout that Ken
created for you ). This way you minimize the number of links that you have
and - more importantly - you minimize your need to make use of Group
Filtering. In a well thought-out OU design you would have minimized links
and almost zero use of Group Filtering.

My initial response - and I should have mentioned it at the time of the
response - was simply a possible solution to your specific question. I was
a bit remiss in addressing the larger issue. Well, I kinda mentioned
it.....

Anyway, if possible I might take a look at the OU design and at what GPOs
you currently have ( and whom they affect and to what OU they are linked )
and see if you might want to consider redesigning things. However, we do
not have a lot of information on your environment so a re-thinking of the OU
design might not be necessary. That is your call.

HTH,

Cary