Not sure if the students are doing this but its possible for them if they wanted, to create a shortcut to say \\DC1 in there home drive.
From there they can either then go up a folder and see all the computers/servers/printer/etc on the network, or more worryingly they can then go into NETLOGON folder and see all the scripts etc...
ive tried blocking .lnk in there homedrive using software restrcition policies, but this doesnt seem to work for shortcuts to machines.
Is there a way for me to stop them browsing the network?
Is there a way to stop them creating shortcuts?
What happens when you try and create a shortcut to \\server ?
What do you guys do pleas?
Thanks in advance !
Try enabling the following policies:
User Config > Admin Temaplates > Windows Components > Windows Explorer
No "Entire Network" in My Network Places - Enabled
User Config > Admin Temaplates > Desktop
Hide My Network Places icon on desktop - Enabled
You may also want to take a look at ABE or Access Based Enumeration
Thanks for the replies...
No "Entire Network" in My Network Places - is already enabled
"This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.
"To remove computers in the user's workgroup or domain from lists of network resources, use the "No "Computers Near Me" in My Network Places" setting."
No computers near me is also enabled.... but no good
I will have a look at ABE or the reg hack next cheers
is there an easy way to bulk edit a HKEY_CLASSES_ROOT entry ?
Depends on what you want call bulk editing, you can roll a VBS/BAT file out which updates the registry by way of importing a file...
Ive sorted the creation of new shortcuts, but they could still edit others or bring them in....
Ive setup "Access-Based Enumeration" and it works great. but when they browse to say DC1, they can see SYSVOL, NETLOGON, LostHome etc. ABE only works by hiding folders and files that they dont have access to, but all our folders and files have READ for Authenticated users.
Is this the same for your servers?
Here are the security settings for our NETLOGON folder on a domain controller:
I obviously dont want to mess up any settings here before the mass logon tommorow 9am!!
This is normal and by design. Not much you can do here. Even if you tried unticking 'List Folder Contents', 'Read & Execute' also becomes unticked and this is needed to run scripts you have in the NETLOGON share.they can see SYSVOL, NETLOGON
Everything in our netlogon folder is hidden.... if that helps
Doesn't seem to have drawn upon any problems.
yup, just the tick boxes, I assume if you add the $ on the end, it will change the path and everything stops working..
You might be able to solve your problem by denying access to UNC paths in file explorer - not sure how you go about that off the top of my head though.
We left our NETLOGON folder as it was and moved our login scripts to another folder and made a quick and simple change in AD to reflect this.
Even if the kids somehow get to the folder, they can't see anything or do anything with it.
There are currently 1 users browsing this thread. (0 members and 1 guests)