none
gpo disable network discovery and disable all local admin RRS feed

  • Soru

  • dears,

    i need some assistance with below 2 options:

    1) i have an active directory 2016 and i need to disable the network discovery for all domain users. is it feasible? my users  have windows 7 8 10.

    2) i created by gpo long time ago a local admin for all the domain pcs. however, some users with domain account permissions created for some users their own local admin users on their devices. and i do not need that, i need to deny all the users from signing in using the local admin of their devices and i can't at the moment monitor how many users are doing that.

    by using gpo, i can disable the local admin already created by gpo, but how can i disable all the other users?

    best regards,

    19 Eylül 2019 Perşembe 09:16

Tüm Yanıtlar

  • Hi eg1559,

    Thank you for posting in our TechNet forum.

     I i have an active directory 2016 and i need to disable the network discovery for all domain users. is it feasible? my users  have windows 7 8 10. 

    it is feasible  Below are the steps

    Under the path of Computer Configuration > Policies > Administrative Templates > Network > Link-Layer Topology Discovery

    1.Enable “Turn on Mapper I/O (LLTDIO) Driver" and then select one or more of the following:

    i. Allow operation while in domain

    ii. Allow operation while in public network

    iii. Prohibit operation while in private network

    2.Enable “Turn on Responder (RSPNDR) Driver." and then select one or more of the following:

    i. Allow operation while in domain

    ii. Allow operation while in public network

    iii. Prohibit operation while in private network

    Be advised that Changing a Group Policy setting does not always immediately put the changed setting into effect. To ensure that the Group Policy setting is applied, either restart the computer that you want the Network Discovery Map on, or run gpupdate /force at a command prompt.

    2.

    Although we can't disable all local admin accounts, but we can empty the members of the local administrators group and add specific users/groups to the local administrators group.

    We can configure it in the following path: 

    GPO> Computer Configuration >preference>control panel>Local user and Groups

    hope the information can be helpful

    Regards,
    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    20 Eylül 2019 Cuma 07:38
  • hi vicky,

    .Enable “Turn on Mapper I/O (LLTDIO) Driver: this policy is allowing the discovery or i am wrong?

    because my aim is to disable the network discovery.

    thank you

    20 Eylül 2019 Cuma 11:49
  • Hi Refer these,

    1. Disable network discovery 

    In a new or existing GPO:

    1. On Computer configuration, choose Policies, choose Security Settings, choose Windows Firewall with Advanced Security.

    2. On Windows Firewall with Advance Settings, choose Inbound Rules, right click and choose New Rule

    3. On Rule Type, select Predefined and choose Network Discovery, choose Next

    4. Choose only the following rules:

    a. Network Discovery (LLMNR-UDP-In)

    b. Network Discovery (NP-Name-In)

    c. Network Discovery (Pub-WSD-In)

    d. Network Discovery (SSDP-In)

    5. On Action choose Block the connection

    6. Press Finish

    7. On Inbound Rules, right click and choose New Rule, select Next

    8. Choose only the following Rule:

    a. Network Discovery (NB-Datagram-In)

    9. On Action choose Allow the connection

    10. Press Finish

    11. On Windows Firewall with Advance Settings, choose Outbound Rules, right click and choose New Rule

    12. On Rule Type, select Predefined and choose Network Discovery, choose Next

    13. Choose only the following rules:

    a. Network Discovery (LLMNR-UDP Out)

    b. Network Discovery (NB-Name Out)

    c. Network Discovery (Pub-WSD Out)

    d. Network Discovery (SSDP Out)

    14. On Action choose Block the connection

    15. Press Finish

    16. On Outbound Rules, right click and choose New Rule, select Next

    17. Choose only the following Rule:

    a. Network Discovery (NB-Datagram Out

    18. On Action choose Allow the connection

    19. Press Finish

    20. On Computer configuration, choose Policies, choose Security Settings, choose System Services

    21. Choose Computer Browser Service

    22. Select Define this policy setting

    23. Choose Disabled, choose Apply and Ok.

    24. Repeat steps (21-23) for the following services:

    a. SSDP Discovery

    b. UPnP Device Host

    c. Function Discovery Resource Publication

    d. Function Discovery Provider host

    e. Link-Layer Topology Discovery Mapper

    After configuring the GPO, link this GPO to our target OU, and we can run gpupdate/force to immediately update group policy.

    (https://social.technet.microsoft.com/Forums/en-US/cac9ace7-56f4-4093-ad63-60ed61aab936/gpo-for-disable-network-discovery?forum=winserverGP)


    2. Disable all local admin

    Recommend method is LAPS tool from Microsoft,

    https://www.prajwaldesai.com/how-to-install-and-deploy-microsoft-laps-software/

    https://www.veeam.com/blog/microsoft-laps-deployment-configuration-troubleshoot-guide.html

    https://www.youtube.com/watch?v=78SE1DYIaxo

    20 Eylül 2019 Cuma 11:56
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    24 Eylül 2019 Salı 01:10
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    30 Eylül 2019 Pazartesi 02:43
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    8 Ekim 2019 Salı 01:10
  • Hi,

    I am writing here to confirm current situation.

    If the above suggestion are helpful to you, please be kind enough to "mark it as an answer" for helping more people.

    Regards,
    Udara
    8 Ekim 2019 Salı 02:49
  • Hi,

     

    Was your issue resolved?

     

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

     

    Best Regards,

    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    10 Ekim 2019 Perşembe 01:42