Stop computers connecting to other domains and networks

[Guest]

This is a big one, but can I stop my users connecting to other networks with
their work laptops? I only want them to connect to our Domain and IP DHCP
scheme.

Thanks

 

[Guest]

Hi,

The only way to do this is to take away their "local logon" accounts and
give them Domain Accounts. Therefore they could only login when they are in
the Domain. However, as long as they are local administrators then the can
just change it back.

Cheers,

Lara

 

[Guest]

THey only have Domain accounts, but XP caches their paswords and allows them
onto the PC's.

 

[Guest]

Hi,

That is simple. Use Roaming Profiles. Set Domain not to cache Roaming
Profiles. In your AD GP set the Domain Computers OU GP - Windows Settings -
Security Settings - Local Policies - Security Options - Interative Logons
"Number of previous logons to cache" = 0. This will disable the caching of
all profiles. Therefore the users can't logon if not connected to the Domain.

I had users trying to bypass GP by unplugging the machines and logging in
with cached credentials. This fixed that. It says they cannot logon because
the Domain is not Available.

Cheers,

Lara

 

[Hank Arnold]

That's not very practical..... You are, in effect, turning the laptop into a
desktop machine. The whole point of getting a user a laptop is mobile
computing. One primary use is off line computing....

 

[Ken B]

One of my friends had a laptop that required him to log onto the VPN to log
in.. kept them from by-passing the group policy processing

Ken

 

[Guest]

Hi,

That is what he is asking to do though in his original post. In todays day
and age with the "blaster" type Virus, laptops are a very dangerous problem
if they are "taken home" and connected to home networks or other networks'. I
had a user bring in a home laptop and infect my network with the Blaster.
Luckily no one is Net Admins on any machine and have no write access
therefore it only affected 3 of my machines. However, it could have been
insane trying to clean my network with 2400 users .

Now all our laptops can roam inside the network throughout the building.
Outside laptops are forbidden and I check Daily in my DHCP for non network
names (as I can't stop DHCP from giving them an IP unless I know the Mac
Address). I have restricted Internet to Domain Users only. Seems to have
done the trick as it has been 2 years now without incident.

Cheers,

Lara

 

[Andrew Mitchell]

(as I can't stop DHCP from giving them an IP unless I know
the Mac Address).

At the moment that's correct but you can deploy IPSec to prevent any
unauthorized devices being able to communicate with any other device on your
network even if they do get an IP address.
If you require that all of your authorized devices require IPSec for all
inbound and outbound communications, it means that those unauthorized devices
will not be able to communicate with them.

 

[Guest]

Hi,

I have thought about deploying IPSec but I cringed at the idea of installing
the Certificate Services etc. I read up about it on MS website and it seemed
so much of a big deal. As my servers have to be up 24-7 I was a little
concerned about messing things up that work. I have a great logging with the
log parser and it works great to list all my DHCP IP/Computer names.

Thanks for the idea. I may look into it more.

Cheers,
Lara

 

[Andrew Mitchell]

Hi,

I have thought about deploying IPSec but I cringed at the idea of
installing the Certificate Services etc. I read up about it on MS
website and it seemed so much of a big deal.

Yeah. The white papers make it seem like such a daunting task.
It's actually a lot easier than it appears and, for comparison, was a lot
easier to get running than Exchange.

 

[Guest]

Yes, I have heard Exchange is a pain. Personally I am lucky that my head
office actually runs the Exchange so I don't have to deal with in on my two
networks.

Cheers,

Lara