GPO on TCPIP settings?

Hello.

I wont to deny all domain users and Local administrators the ability to
change the TCPIP settings on all Domain Computers(Windows XP, SP2)

It is possible?

Which GPO settings are for this responsible?

Server is Windows2003R2.

Thanks.

this may help

http://lmgtfy.com/?q=gpo+prohibit+ac...lan+connection

Howdie!

marsias schrieb:
> I wont to deny all domain users and Local administrators the ability to
> change the TCPIP settings on all Domain Computers(Windows XP, SP2)
>
> It is possible?
>
> Which GPO settings are for this responsible?

There's no right for that you could grant or deny people. Domain Users
aren't allowed to change the network settings -- local administrators of
course can. That's why they're admins. You can't actually limit people
from changing the network settings.

If users shouldn't change them: let them run as non-admins.
If users should change them: put them into the Network Operators/Network
Configuration Operators group.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

"marsias" <marsias@discussions.microsoft.com> wrote in message
news:87467C21-A788-44A2-A03F-074CBA9CA149@microsoft.com...
> Hello.
>
> I wont to deny all domain users and Local administrators the ability to
> change the TCPIP settings on all Domain Computers(Windows XP, SP2)
>
> It is possible?
>
> Which GPO settings are for this responsible?
>
> Server is Windows2003R2.
>
> Thanks.
>


In a business environment, it's recommended to only allow the users to be
Domain Users, and not have any local rights or permissions on their
machines, this includes the ability to install software, change the time,
network properties, etc.

If any software needs to be installed, or system setttings changed, I would
remote in and use the RunAs feature to run the app or whatever I need to do
in the Administrators context. This way the users will have their necessary
applications and printers setup for them to perform their jobs, and the
users have little say on what they can do on their machines.

I would suggest to remove their user accounts from the local administrators
group on their workstations for your and the company's peace of mind. This
will also reduce support calls for accidental changes, deletions, and the
fact that viruses and spyware can install under their user accounts. If they
were just Domain Users and only part of the Local Users group, these
abilities would not be possible. All of my customers (small and large), are
only Domain users with no local rights and permissions. So far they have not
had any virus problems or spyware problems, nor do I receive any complaints.
If they need something changed, they call, and if possible, you can either
remote in, walk over to their desktop, or visit the office and take care of
it.

Also, some have asked to hide C: and other drives from users that are local
administrators. Kind of a tough uphill battle to stop local drive access and
other abilities that local admins have by default. I don't believe there's
no reason to hide drives if the user is a local user and not a local
administrator. They simply can't access C: drive other than their own
MyDocuments folder if they don't have local admin rights. If an application
is installed that needs to make changes in the folder it is installed in,
(such as an app installed in c:\Program Files\somefolder), simply give the
user's account elevated permissions in that specific folder where it's
installed. If a printer needs to be installed, logon as the administrator,
install the printer drivers, log off, now the user is able to add the
printer because the drivers were pre-installed.

Group policies will allow you to control and automate numerous things. Last
I counted, there are over 800 settings, including software installation,
startup/logon/logoff/shutdown scripts, display control, desktop, start menu,
My Documents redirection, security settings, and numerous others. Most, if
not all of the settings in a GPO are business related. I normally do not try
to force deny any local admins the ability to change network settings, but
if you feel that is necessary to continue to allow users to be local
administrators, the first response, RC, gave you a Google search link on how
to do that.

On a side note, I've had folks asking if they can use Group Policy for
controlling the Home operating system versions. If you are using any Home
version of an operating system, GPOs won't work because they were not meant
to be for a home user. There is no central administration for retail users.
Matter of fact, many of these settings do not exist in the Home versions.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hello marsias,

You can not do it with GPO. By default domain users are not able to change
that settings. If they are local admin you can also not prevent this. Any
local admin will be able to change the settings you did.

Do NOT make the users local admin and you are safe.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello.
>
> I wont to deny all domain users and Local administrators the ability
> to change the TCPIP settings on all Domain Computers(Windows XP, SP2)
>
> It is possible?
>
> Which GPO settings are for this responsible?
>
> Server is Windows2003R2.
>
> Thanks.
>