Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#185562 - 20/10/2003 14:10 GPO question
BleachLPB
enthusiast

Registered: 01/11/2001
Posts: 354
Loc: Maryland
Hey all,

I realize a majority of people here are Linux-oriented, but I'm hoping some MS people lurking out there are reading too...

I have a question regarding Group Policy in Active Directory. I've searched the internet high and low, and posted in other various MS/AD/whatever oriented groups and forums - and have come up with not much. Knowing that this forum is an excellent resource, hopefully someone else here has run into this situation or one similar.

I am trying to apply an IP Security policy to a group of users using a GPO - but you can only apply IP Security policies under the computer configuration and therefore I cannot effect this change to specific users and only specific computers.

Here is the scenario: I want to restrict access to the Internet. I could just allow access to all computers by default, then create a security group (ie "DenyInternet"), add computer accounts to that group that I don't want to have access, then configure that group to apply a GPO that denies HTTP/HTTPS using an IP security policy. This works now.

But, because users often hop around different machines, this will not work. Its almost like Group Policy Loopback Processing - but the other way around. Instead of applying user policies based on the location of a computer account, I want to apply a computer policy based on a user account. But since the computer policies process when the computer turns on and not when a user logs on, I may have just answered my own question. But I'm hoping someone out there might have a better solution or know something that I don't.

Currently, users are restricted from the internet by way of an authentication applet which is very annoying.

Thanks,
_________________________
BleachLPB ------------- NewFace MK2a

Top
#185563 - 20/10/2003 14:34 Re: GPO question [Re: BleachLPB]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
If it were me, I'd simply ignore the whole Group Policy thing (since some users might be running Win98 which doesn't have that crap anyway), and just use Microsoft Proxy server for their internet connection. Then you can choose which users and groups get access from the proxy server's console.
_________________________
Tony Fabris

Top
#185564 - 20/10/2003 15:00 Re: GPO question [Re: tfabris]
BleachLPB
enthusiast

Registered: 01/11/2001
Posts: 354
Loc: Maryland
Agreed - but spending money (on IAS) isn't a very popular option, especially when I'm fixing something that isn't really broken.

Remember, I'm trying to "do more with less".
_________________________
BleachLPB ------------- NewFace MK2a

Top
#185565 - 20/10/2003 15:01 Re: GPO question [Re: BleachLPB]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Remember, I'm trying to "do more with less".
Ah. In other words, the exact opposite of what Windows stands for (which is "do less with more").
_________________________
Tony Fabris

Top
#185566 - 20/10/2003 15:06 Re: GPO question [Re: BleachLPB]
siberia37
old hand

Registered: 09/01/2002
Posts: 702
Loc: Tacoma,WA
Short of installing a third-party proxy or NAT I think your only option is to use the Group Policy setting under User Config/Windows Settings/Internet Explorer Maint/Connection/Proxy Settings and set the proxy server address to a non-existant address for those "banned" users. Of course, once they figure out they can install Opera or Netscape you will be screwed on this one, but if your users aren't particulary creative this will work.

Top
#185567 - 20/10/2003 15:09 Re: GPO question [Re: BleachLPB]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
Do you have internal websites that have to be accessed by these users? It'd be possible to deny use of IE on a per-user level.

-Zeke
_________________________
WWFSMD?

Top
#185568 - 21/10/2003 06:12 Re: GPO question [Re: siberia37]
BleachLPB
enthusiast

Registered: 01/11/2001
Posts: 354
Loc: Maryland
I think your only option is to use the Group Policy setting under User Config/Windows Settings/Internet Explorer Maint/Connection/Proxy Settings and set the proxy server address to a non-existant address for those "banned" users

Hmm I hadn't thought of that but I think I'll give this a try. Thanks for the tip! Our users are not terribly proficient.... so little worry about rogue Opera or Netscape installs. Some still have trouble using a mouse.
_________________________
BleachLPB ------------- NewFace MK2a

Top