Hello,

I'm 90% of the way through an AD design for a school and have hit a
stumbling block with security.

We need to stop the children being able to browse the network and active
directory in one fail swoop and I'm looking for pointers on the best way to
do this.

I know I can modify the security for AD objects and remove view access for
everyone and authenticated users but this also seems to cause problems with
group policy applied at lower levels.

We have a legacy NT4 domain that is also browsable and even though we are
confident that even thought they can see the shares and not access them, I'd
sleep better knowing they could see nothing at all.

We handle all directory and print mappings through login scripts so we can
tie down browsing completely.

Many thanks

Jim Florence

Hi Jim,

This should help:

Enable the following Group Policy settings under User
Configuration\Administrative
Templates to prevent browsing:

1. Windows Components\Windows Explorer: Enable "Remove Map Network Drive and
Disconnect Network Drive", "Search button from Windows Explorer", "No
computers
near me in My Network Places", and "No Entire Network in My Network Places".
2. Start Menu and Taskbar: Enable "Remove Run menu from Start Menu"
3. System: Enable "Disable the command prompt"

Thanks
Sabin Nair M.S(Computer Engg.), MCSE, MCSA
Directory Services Team

"Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only."

"Jim Florence" <(E-Mail Removed)> wrote in message
news:3f396e45$0$955$(E-Mail Removed)...
> Hello,
>
> I'm 90% of the way through an AD design for a school and have hit a
> stumbling block with security.
>
> We need to stop the children being able to browse the network and active
> directory in one fail swoop and I'm looking for pointers on the best way
to
> do this.
>
> I know I can modify the security for AD objects and remove view access for
> everyone and authenticated users but this also seems to cause problems
with
> group policy applied at lower levels.
>
> We have a legacy NT4 domain that is also browsable and even though we are
> confident that even thought they can see the shares and not access them,
I'd
> sleep better knowing they could see nothing at all.
>
> We handle all directory and print mappings through login scripts so we can
> tie down browsing completely.
>
> Many thanks
>
> Jim Florence
>
>

Sabin

Many thanks for the amazingly quick reply.

I'll try that first thing tomorrow and let you know how I get on

Regards

Jim Florence

"Sabin Nair[MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi Jim,
>
> This should help:
>
> Enable the following Group Policy settings under User
> Configuration\Administrative
> Templates to prevent browsing:
>
> 1. Windows Components\Windows Explorer: Enable "Remove Map Network Drive
and
> Disconnect Network Drive", "Search button from Windows Explorer", "No
> computers
> near me in My Network Places", and "No Entire Network in My Network
Places".
> 2. Start Menu and Taskbar: Enable "Remove Run menu from Start Menu"
> 3. System: Enable "Disable the command prompt"
>
> Thanks
> Sabin Nair M.S(Computer Engg.), MCSE, MCSA
> Directory Services Team
>
> "Please do not send e-mail directly to this alias.
> This alias is for newsgroup purposes only."
>
> "Jim Florence" <(E-Mail Removed)> wrote in message
> news:3f396e45$0$955$(E-Mail Removed)...
> > Hello,
> >
> > I'm 90% of the way through an AD design for a school and have hit a
> > stumbling block with security.
> >
> > We need to stop the children being able to browse the network and active
> > directory in one fail swoop and I'm looking for pointers on the best way
> to
> > do this.
> >
> > I know I can modify the security for AD objects and remove view access
for
> > everyone and authenticated users but this also seems to cause problems
> with
> > group policy applied at lower levels.
> >
> > We have a legacy NT4 domain that is also browsable and even though we
are
> > confident that even thought they can see the shares and not access them,
> I'd
> > sleep better knowing they could see nothing at all.
> >
> > We handle all directory and print mappings through login scripts so we
can
> > tie down browsing completely.
> >
> > Many thanks
> >
> > Jim Florence
> >
> >
>
>

Sabin,

I checked all these and unfortunately I have applied them all.

You can work around these by using the folders button in explorer and the
whole network pops up to browse down the right hand pane. Also if a user
creates or edits a shortcut with valid information they can still get to
certain areas.

The explorer problem is our biggest problem, any ideas

Many thanks for you assistance so far

Jim

"Jim Florence" <(E-Mail Removed)> wrote in message
news:3f397742$0$964$(E-Mail Removed)...
> Sabin
>
> Many thanks for the amazingly quick reply.
>
> I'll try that first thing tomorrow and let you know how I get on
>
> Regards
>
> Jim Florence
>
> "Sabin Nair[MSFT]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi Jim,
> >
> > This should help:
> >
> > Enable the following Group Policy settings under User
> > Configuration\Administrative
> > Templates to prevent browsing:
> >
> > 1. Windows Components\Windows Explorer: Enable "Remove Map Network Drive
> and
> > Disconnect Network Drive", "Search button from Windows Explorer", "No
> > computers
> > near me in My Network Places", and "No Entire Network in My Network
> Places".
> > 2. Start Menu and Taskbar: Enable "Remove Run menu from Start Menu"
> > 3. System: Enable "Disable the command prompt"
> >
> > Thanks
> > Sabin Nair M.S(Computer Engg.), MCSE, MCSA
> > Directory Services Team
> >
> > "Please do not send e-mail directly to this alias.
> > This alias is for newsgroup purposes only."
> >
> > "Jim Florence" <(E-Mail Removed)> wrote in message
> > news:3f396e45$0$955$(E-Mail Removed)...
> > > Hello,
> > >
> > > I'm 90% of the way through an AD design for a school and have hit a
> > > stumbling block with security.
> > >
> > > We need to stop the children being able to browse the network and
active
> > > directory in one fail swoop and I'm looking for pointers on the best
way
> > to
> > > do this.
> > >
> > > I know I can modify the security for AD objects and remove view access
> for
> > > everyone and authenticated users but this also seems to cause problems
> > with
> > > group policy applied at lower levels.
> > >
> > > We have a legacy NT4 domain that is also browsable and even though we
> are
> > > confident that even thought they can see the shares and not access
them,
> > I'd
> > > sleep better knowing they could see nothing at all.
> > >
> > > We handle all directory and print mappings through login scripts so we
> can
> > > tie down browsing completely.
> > >
> > > Many thanks
> > >
> > > Jim Florence
> > >
> > >
> >
> >
>
>