per machine instead of per users

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I need help please.
I want to accomplish the following:
I want restrict stations by netbios name not access the internet.
I want administrator able go to this phsyical stations and able to get
internet access
I have three gpo rules:
rule 1 call userinternet here I have internetgroup and choice per user.

rule2: nointernet stop same as above except this time I stop internet access

Both these rules work great

rule 3 a group computer by netbois namecomputers are restricted internet
with exception administrators.

The problems lies when one my users who have internet rights can access the
internet from this physical pc. I ultmatly want this physical station not to
surf no matter who sighn on with exception of administrator.

How is this possible please help
 
Frank,

Please tell us how you are doing what you are doing! There are a couple of
ways to do this.....Also, the assumption is that you are running WIN2000
Active Directory with either WIN2000 Pro or WINXP Pro clients.

One way that you might consider would be as follows:

Create a security group called 'nointernet' - or whatever - and make the
appropriate domain user account objects members of that group. Then, create
an Organizational Unit and move those domain user account objects into that
OU. This might not be possible - or very difficult based on your current
setup and other GPOs. There are ways around this.....

Then, create a GPO that is linked to this OU ( the one that you just created
and contains the individual domain user account objects ) whereby you give a
fake proxy address ( IP Address ) -A*N*D- you disable the user's ability to
change this IP Address. So, if you have a 192.168.1.x IP scheme in your
single subnet environment you could use 172.16.102.208, for example, as the
proxy address. This is done on the user configuration side of things.
Specifically, you would go to User Configuration | Windows Settings |
Internet Explorer Maintenance | Connection -------- Proxy Settings to add
the 'fake' IP Address and then go to User Configuration | Administrative
Templates | Internet Explorer --------Disable Changing Proxy Settings to,
err, disable the users from changing the 'fake' proxy settings. Why did you
create the security group from above? Well, if you can not move the users
who should be affected ( it seems as though you have some users who should
be able to access the Internet as well as some users who should not be able
to access the Internet ) by this GPO to a separate OU then simply link this
GPO to the OU that contains your user account objects and simply go to the
Security tab of the GPO, remove the Authenticated Users group and add your
'Nointernet' group. Make sure that you give this group READ and APPLY GROUP
POLICY....In fact, I would suggest that you create the security group anyway
and get rid of the Authenticated Users group anyway....BTW - this is called
Group Filtering and is a bit more advanced.

So, this will affect the users only - regardless of which computer they are
using. It will not affect any 'Administrator' account as it/they would not
be members of the 'Nointernet' security group!

Now, this will affect the users. Okay! I am repeating myself. You would
also like this based on which computer a user is using at the moment. Like
I said above, it does not matter what computer the user is using....the GPO
affects only the users!

To do this based on computers, you would need to look at Loopback Processing
in Replace Mode. You would simply create an OU and move the computer account
objects to be affected into that OU. You then create the GPO and link it to
that OU. It sounds all very similar. Well, loopback changes the way that
GPOs are processed. This will be exactly what you need to resolve your
'computer based' need. You would just have to make sure that you explicitly
deny Domain Admins - or similar - the APPLY GROUP POLICY.

So, now you have the two GPOs that will cover all three of your needs!

Got it?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
I did excatlly what you suggested. However user who have rights to internet
still go to the phsyical machine and surf. I want stop this machine with the
exception of administrator.

If any knows how to do this please help
 
Frank,

Did you do all the things that I suggested? I promise you that if you use
loopback correctly ( which I am going to assume that you did not ) then the
users would not have access to the Internet ( read: have the fake proxy IP
Address ) when logging onto the computers that are under the Scope of
Management of the loopback ( hint: need to use replace mode.....not merge!
This might be your error ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
I might have not made myself clear here:

I already have a rule that works that a "nointernet user" does not matter
which computer they go to they will not access the internet. Then I have a
second rule which has "internet user" and it does not matter which computer
they go to they have internet access. It excatlly the same steps by fake out
the ip with the noninternet users. Thes two rules works great. Now I have 20
physical computers and I want these phsyical computers having no internet
usage at all no matter who sign in except for administrator.

Even when I tryed your steps the users with "internet access" can go to
these 20 pc at still get internet and I want the "internet access group"
restrict when go to these 20 pc

You rules do not work they are the same as mine and only work with 2 of 3
rules.
I would like 3 of 3 anyone who knows how to do this third rule where I can
restrict these 20 pc even if the user is in "internet allow group" that would
be great.

And fyi: I have try create a computernointernet group put these 20pc in that
group and then creating a ou move the 20 computers in that ou and then link
the gpo rule to ou.
Guess what the user with internet access rights can still go to any these 20
computer and access internet

So how do I get these 20 pc no internet access no matter who sign on expect
for administrator sorry to repeat myself but I just make clear excatlly what
I need.


Thanks for any help in advance
 
Hi,
I ultmatly want this physical station not to surf no matter who sighn
on with exception of administrator.
Click to expand...

If the fake Proxy settings don’t work for you (Great idea by the way
but only works for IE) my advice is to buy a firewall. I recommend ISA
as you can restrict Internet Access via user group or computer or
both. However, there are nice free linux firewalls out there but I
don’t know linux so I can’t recommend one.

Cheers,

Lara
 
Back
Top