10

I have enabled following policies,

  • "Prohibit TCP/IP advanced connection"
  • "Prohibit access to properties of components of a LAN connection"
  • "Enable Windows 2000 Network Connections setings for Administrators"

after doing all these, all machines running windows xp, 2000 and vista have network settings properties button disabled as expected.

However all machines running windows 7 have no effect, I believe there are few more steps, all Windows 7 machines are on domain and we want to control this via Domain Controler's GPO.

Please let me know, what I need to do to have Windows 7 disable the properties of network connection, I am not network expert, I read few articles about what new has been added in GPO of windows 7 but I am blank.

Everything works fine on Windows XP, Vista, 2003 Server. Only Windows 7 is a problem.

Akash Kava
  • 467
  • 3
  • 8
  • 19

4 Answers4

2

If I'm not mistaken, those settings are only applicable to W2KSP1, WinXP, and W2K3 computers. You need to enable the "Prohibit access to the properties of a LAN connection" setting, which should prohibit access to any properties of a LAN connection in Windows Vista and Windows 7.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • If you see my question, the 2nd point is the same policy you are talking about, still it works on Windows Vista, but not on 7. – Akash Kava Feb 03 '10 at 10:45
1

I should be User Configuration/Administrative Templates/Network/Network Connections/"Prohibit access to properties of a LAN Connection" (since Windows 200 SP1). The problem I'm having with GP is that you are not sure if it got applied, so restarting is always a good idea.

http://www.microsoft.com/downloads/details.aspx?familyid=18C90C80-8B0A-4906-A4F5-FF24CC2030FB&displaylang=en#filelist

Besides that I would like to point out two things:

  1. Are your users local Administrators? Iirc even Power Users should not be able to configure LAN Adaptors...
  2. Consider upgrading to Windows Server 2008 R2
Tie-fighter
  • 751
  • 2
  • 9
  • 17
  • us psexec on all computers and run gpudate /force – jer.salamon Jul 16 '10 at 20:25
  • I have Windows Server 2008 R2, the domain users who login to local machine, they are granted administrator access to the machine, but they are not domain administrators, everything works till windows vista, but for some reason it does not work on windows 7 only. – Akash Kava Jul 26 '10 at 12:04
  • With the GPO I posted it is possible to disable the settings even for local Administrators. – Tie-fighter Jul 28 '10 at 21:34
0

Although the button is not disabled you shouldn't be able to make any changes to the settings with these policies enforced - can you confirm that? If you really want to remove it from sight then you could use a registry modification.

Siim K
  • 587
  • 3
  • 9
  • 16
  • Yes, we are able to make changes, we do not want our users to change ip address at all once this policy is in place, but xp and vista disables the button correctly but 7 doesnt and it also allows user to change anything they want to. – Akash Kava Feb 03 '10 at 17:19
  • 2
    Just a thought - are you trying with a Administrator or a Standard user in Windows 7? I have been playing with the GPOs a bit and when I logged in as a Standard user in Win 7 then the settings in your original post worked - the Properties button was disabled... – Siim K Feb 05 '10 at 10:08
  • +1 for testing in your environment, is your PDC Server 2008 or 2003 based? – iainlbc Apr 24 '10 at 01:18
  • thanks for trying out, however even for administrators it did work on xp and vista, it doesnt work for administrators on 7 – Akash Kava Jun 24 '10 at 15:17
0

I know this may seem wiered, did you also Enable the "Enable Windows 2000 Network Connections settings for Administrators" setting. Apply reverse psychology, although it applies to older OS's - admin rights an inherited. Of course all users are in the stipulated OU this GPO is applied to - give it a shot