How to deny access to list network resources?
- Hi guys,
I'm trying to restrict access to list network access via group policies to TS users.
Let me explain: When an user access the environment via Terminal Services, he/she can click on "Network" in Windows Explorer and list all computers and servers from the network.
I want to deny access to list this computers from the network via Group Police. May you help me?
Below are the steps that I've tried to do that, but not works. Am I doing something wrong?
Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Name: NoNetHood
Type: REG_DWORD
Value: 1
And..
Desktop
Do not add shares of recently opened documents to Network Locations
Hide Network Locations icon on desktop
Start Menu and Taskbar
Remove Network Connections from Start Menu
Remove Network icon from Start Menu
Windows Components/Network Sharing
Prevent users from sharing files within their profile.
Windows Components/Windows Explorer
No Computers Near Me in Network Locations
No Entire Network in Network Locations
Remove "Map Network Drive" and "Disconnect Network Drive"
OS Server: Windows Server 2008 SP1
OS Client: Windows Vista SP1
Thank You!
Answers
Hi,
I agree with Florian that you should consider 'Loopback Processing Mode' and configure these Group Policies under User Configurations.
<I want to deny access to list this computers from the network via Group Police. May you help me?>
Based on my research, unfortunately, there is no corresponding GP to directly deny user to browse 'network list'.
If you want to hide other PCs, we can perform the following steps to disable Network Discovery so that no computers are listed when a customer clicks the “Network” button in Windows Explorer.
1. Logon as Administrator and open Control Panel -> Network and Sharing Center.
2. In the “Sharing and Discovery” part, configure “Network discovery” as Off.
However, this method couldn't actually block user to access or browse other servers. Users can still use other method to view other servers.
If you want to restrict the user from accessing other servers, we may create and link a group policy to domain and add the user to the “Deny access to this computer from the network” right(Computer Configuration->Windows Setting->Security Setting->Local Policy->User Rights Assignment). In this way, the user will be unable to access network resources on other server.
To grant the user the access to the target server, we may use security filter to deny the target server computer account to apply this policy.
To filter using security groups:
1.
Open Group Policy Management.
2.
In the console tree, double-click Group Policy Objects, which contains the Group Policy object (GPO) to which you want to apply security filtering (console tree location is: Forest name/Domains/Domain name/Group Policy Objects).
3.
Click the GPO.
4.
In the results pane, on the Scope tab, click Add.
5.
In the Enter the object name to select box, type the name of the group, user, or computer that you want to add to the security filter. Click OK.
If Authenticated Users appears in the Security Filtering section of the Scope tab, select this group and click Remove. This will ensure that only members of the group or groups you added in step 5 can receive the settings in this GPO.
Alternatively, to achieve this, you can also configure firewall or other third-party products.
Hope this helps. If anything is unclear, please post back.
Best wishes
--------------
Morgan Che- Proposed As Answer bythiagottss Tuesday, July 08, 2008 11:19 PM
- Marked As Answer byMorgan Che [MSFT]ModeratorThursday, July 10, 2008 1:48 AM
- Howdie!
thiagottss said:I'm trying to restrict access to list network access via group policies to TS users.
Let me explain: When an user access the environment via Terminal Services, he/she can click on "Network" in Windows Explorer and list all computers and servers from the network.
I want to deny access to list this computers from the network via Group Police. May you help me?
Below are the steps that I've tried to do that, but not works. Am I doing something wrong?
What were the steps you tried to set this up? Basically, you need to use a "Loopback Processing Mode" GPO and link it to the TS servers which lets the TSs apply the user configuration settings:
http://support.microsoft.com/kb/231287
http://technet2.microsoft.com/windowsserver/en/library/33a8ff54-151a-47b7-a6c3-92aab07c2d131033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/Library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx
Then link a GPO to the TSs OU where you define those user settings.
cheers,
Florian
Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog- Marked As Answer bythiagottss Wednesday, December 17, 2008 2:13 PM
All Replies
- Howdie!
thiagottss said:I'm trying to restrict access to list network access via group policies to TS users.
Let me explain: When an user access the environment via Terminal Services, he/she can click on "Network" in Windows Explorer and list all computers and servers from the network.
I want to deny access to list this computers from the network via Group Police. May you help me?
Below are the steps that I've tried to do that, but not works. Am I doing something wrong?
What were the steps you tried to set this up? Basically, you need to use a "Loopback Processing Mode" GPO and link it to the TS servers which lets the TSs apply the user configuration settings:
http://support.microsoft.com/kb/231287
http://technet2.microsoft.com/windowsserver/en/library/33a8ff54-151a-47b7-a6c3-92aab07c2d131033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/Library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx
Then link a GPO to the TSs OU where you define those user settings.
cheers,
Florian
Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog- Marked As Answer bythiagottss Wednesday, December 17, 2008 2:13 PM
Hi,
I agree with Florian that you should consider 'Loopback Processing Mode' and configure these Group Policies under User Configurations.
<I want to deny access to list this computers from the network via Group Police. May you help me?>
Based on my research, unfortunately, there is no corresponding GP to directly deny user to browse 'network list'.
If you want to hide other PCs, we can perform the following steps to disable Network Discovery so that no computers are listed when a customer clicks the “Network” button in Windows Explorer.
1. Logon as Administrator and open Control Panel -> Network and Sharing Center.
2. In the “Sharing and Discovery” part, configure “Network discovery” as Off.
However, this method couldn't actually block user to access or browse other servers. Users can still use other method to view other servers.
If you want to restrict the user from accessing other servers, we may create and link a group policy to domain and add the user to the “Deny access to this computer from the network” right(Computer Configuration->Windows Setting->Security Setting->Local Policy->User Rights Assignment). In this way, the user will be unable to access network resources on other server.
To grant the user the access to the target server, we may use security filter to deny the target server computer account to apply this policy.
To filter using security groups:
1.
Open Group Policy Management.
2.
In the console tree, double-click Group Policy Objects, which contains the Group Policy object (GPO) to which you want to apply security filtering (console tree location is: Forest name/Domains/Domain name/Group Policy Objects).
3.
Click the GPO.
4.
In the results pane, on the Scope tab, click Add.
5.
In the Enter the object name to select box, type the name of the group, user, or computer that you want to add to the security filter. Click OK.
If Authenticated Users appears in the Security Filtering section of the Scope tab, select this group and click Remove. This will ensure that only members of the group or groups you added in step 5 can receive the settings in this GPO.
Alternatively, to achieve this, you can also configure firewall or other third-party products.
Hope this helps. If anything is unclear, please post back.
Best wishes
--------------
Morgan Che- Proposed As Answer bythiagottss Tuesday, July 08, 2008 11:19 PM
- Marked As Answer byMorgan Che [MSFT]ModeratorThursday, July 10, 2008 1:48 AM
