+ Post New Thread
Results 1 to 13 of 13
Windows Thread, Students creating Shortcuts to network in Technical; Not sure if the students are doing this but its possible for them if they wanted, to create a shortcut ...
  1. #1

    Join Date
    Aug 2007
    Posts
    817
    Thank Post
    99
    Thanked 65 Times in 47 Posts
    Rep Power
    26

    Students creating Shortcuts to network

    Not sure if the students are doing this but its possible for them if they wanted, to create a shortcut to say \\DC1 in there home drive.
    From there they can either then go up a folder and see all the computers/servers/printer/etc on the network, or more worryingly they can then go into NETLOGON folder and see all the scripts etc...

    ive tried blocking .lnk in there homedrive using software restrcition policies, but this doesnt seem to work for shortcuts to machines.

    Is there a way for me to stop them browsing the network?
    Is there a way to stop them creating shortcuts?

    What happens when you try and create a shortcut to \\server ?
    What do you guys do pleas?


    Thanks in advance !

  2. #2
    Dom_'s Avatar
    Join Date
    Dec 2008
    Posts
    1,009
    Thank Post
    151
    Thanked 138 Times in 115 Posts
    Rep Power
    56

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Try enabling the following policies:

    User Config > Admin Temaplates > Windows Components > Windows Explorer

    No "Entire Network" in My Network Places - Enabled

    User Config > Admin Temaplates > Desktop

    Hide My Network Places icon on desktop - Enabled

    You may also want to take a look at ABE or Access Based Enumeration

  4. #4

    Join Date
    Aug 2007
    Posts
    817
    Thank Post
    99
    Thanked 65 Times in 47 Posts
    Rep Power
    26
    Thanks for the replies...

    No "Entire Network" in My Network Places - is already enabled

    "This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.

    "To remove computers in the user's workgroup or domain from lists of network resources, use the "No "Computers Near Me" in My Network Places" setting."

    No computers near me is also enabled.... but no good

    I will have a look at ABE or the reg hack next cheers

    is there an easy way to bulk edit a HKEY_CLASSES_ROOT entry ?

  5. #5
    DrPerceptron's Avatar
    Join Date
    Dec 2008
    Location
    In a house
    Posts
    922
    Thank Post
    34
    Thanked 134 Times in 114 Posts
    Rep Power
    41
    Depends on what you want call bulk editing, you can roll a VBS/BAT file out which updates the registry by way of importing a file...

  6. #6

    Join Date
    Aug 2007
    Posts
    817
    Thank Post
    99
    Thanked 65 Times in 47 Posts
    Rep Power
    26
    Quote Originally Posted by DrPerceptron View Post
    Depends on what you want call bulk editing, you can roll a VBS/BAT file out which updates the registry by way of importing a file...
    Thanks for this, here is my working code:

    Dim objShell, RegLocate, RegLocate1
    Set objShell = WScript.CreateObject("WScript.Shell")
    On Error Resume Next
    RegLocate = "HKEY_CLASSES_ROOT\.lnk\ShellNew\Command"
    objShell.RegWrite RegLocate,"","REG_SZ"

    Cheers all

  7. #7

    Join Date
    Aug 2007
    Posts
    817
    Thank Post
    99
    Thanked 65 Times in 47 Posts
    Rep Power
    26
    Ive sorted the creation of new shortcuts, but they could still edit others or bring them in....

    Ive setup "Access-Based Enumeration" and it works great. but when they browse to say DC1, they can see SYSVOL, NETLOGON, LostHome etc. ABE only works by hiding folders and files that they dont have access to, but all our folders and files have READ for Authenticated users.

    Is this the same for your servers?

    Here are the security settings for our NETLOGON folder on a domain controller:


    I obviously dont want to mess up any settings here before the mass logon tommorow 9am!!

  8. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    they can see SYSVOL, NETLOGON
    This is normal and by design. Not much you can do here. Even if you tried unticking 'List Folder Contents', 'Read & Execute' also becomes unticked and this is needed to run scripts you have in the NETLOGON share.

  9. #9
    DrPerceptron's Avatar
    Join Date
    Dec 2008
    Location
    In a house
    Posts
    922
    Thank Post
    34
    Thanked 134 Times in 114 Posts
    Rep Power
    41
    Everything in our netlogon folder is hidden.... if that helps

    Doesn't seem to have drawn upon any problems.

  10. #10

    Join Date
    Aug 2007
    Posts
    817
    Thank Post
    99
    Thanked 65 Times in 47 Posts
    Rep Power
    26
    Quote Originally Posted by DrPerceptron View Post
    Everything in our netlogon folder is hidden.... if that helps

    Doesn't seem to have drawn upon any problems.
    When you say hidden you mean windows hidden with the tick box not the $ shares ?

    Thanks for all the help. This could be a solution

  11. #11
    DrPerceptron's Avatar
    Join Date
    Dec 2008
    Location
    In a house
    Posts
    922
    Thank Post
    34
    Thanked 134 Times in 114 Posts
    Rep Power
    41
    yup, just the tick boxes, I assume if you add the $ on the end, it will change the path and everything stops working..

    You might be able to solve your problem by denying access to UNC paths in file explorer - not sure how you go about that off the top of my head though.

  12. #12
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    21

    Smile

    We left our NETLOGON folder as it was and moved our login scripts to another folder and made a quick and simple change in AD to reflect this.

    Even if the kids somehow get to the folder, they can't see anything or do anything with it.

    Az

  13. #13

    Join Date
    Feb 2008
    Location
    Portsmouth
    Posts
    163
    Thank Post
    16
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Quote Originally Posted by azrael78 View Post
    We left our NETLOGON folder as it was and moved our login scripts to another folder and made a quick and simple change in AD to reflect this.

    Even if the kids somehow get to the folder, they can't see anything or do anything with it.

    Az
    Same here, on the networks I support I place no files under NETLOGON.

SHARE:
+ Post New Thread

Similar Threads

  1. students unplugging network cable
    By centurio in forum Network and Classroom Management
    Replies: 14
    Last Post: 3rd May 2011, 09:11 PM
  2. Managing local and network application shortcuts
    By cjohnsonuk in forum Windows
    Replies: 4
    Last Post: 30th September 2008, 09:29 AM
  3. Replies: 9
    Last Post: 2nd November 2007, 08:55 PM
  4. Students and Network Cables
    By ninjabeaver in forum Wireless Networks
    Replies: 36
    Last Post: 23rd November 2005, 09:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •