Discussion:
Disable Wireless by GPO
(too old to reply)
r***@hotmail.com
2007-03-01 18:41:43 UTC
Permalink
Hi,

Has anyone managed to implement a GPO that disables wireless and also not
via disabling WZC (Wireless Zero Configuration)service as we have many power
users who would be then able to restart the service. if so, how and which
settings?

Any help appreciated.

Thanks.
Ricky.
Mark Heitbrink [MVP]
2007-03-01 19:30:53 UTC
Permalink
Hi,
Post by r***@hotmail.com
Has anyone managed to implement a GPO that disables wireless and also not
via disabling WZC (Wireless Zero Configuration)service
Why not? Disable server and set permissions that only Domain-Admins
are allowed to start it.
Than the user must have local admin rights, to take ownership.

If you are working with local administrators: Forget about all
things you can manage with GPO, they are worthless.
A local admin can always get around.

3rd Party like Sanctuary Device Control can help.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Andrew
2007-03-01 20:34:39 UTC
Permalink
On Mar 1, 10:30 pm, "Mark Heitbrink [MVP]" <spam-
Post by Mark Heitbrink [MVP]
If you are working with local administrators: Forget about all
things you can manage with GPO, they are worthless.
A local admin can always get around.
3rd Party likeSanctuary Device Controlcan help.
Sanctuary Device Controlcan doesn't support Active Directory's GPO.
This old school tool can be managed only from non-standard GUI (it
even doesn't support MMC!).

Take a look at more modern solutions, such as Safeend
(www.safeend.com) or DeviceLock (www.devicelock.com).
Mark Heitbrink [MVP]
2007-03-01 22:43:13 UTC
Permalink
Hi,
Post by Andrew
Sanctuary Device Controlcan doesn't support Active Directory's GPO.
Right. And IMHO it doesn´t even need to.
Post by Andrew
This old school tool can be managed only from non-standard GUI (it
even doesn't support MMC!).
Better it is. No one needs MMC 3.0 ... :-)
Post by Andrew
Take a look at more modern solutions, such as Safeend
(www.safeend.com) or DeviceLock (www.devicelock.com).
I know Devicelock, but I like to stay on my familar ones.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
rickym61
2007-03-15 20:51:37 UTC
Permalink
Mark/Andrew

Thanks both for your replies, My company would prefer to not have to spend a
lot of money to 3rd party, would be preferable if there was some GPO
settings..

Im due to visit Microsoft @ Reading in a months time as they are hosting a
session on best practice for wireless control, patch management as well as a
few other areas for the company I work for, i'll hopefully see how MS
control this..
Post by Mark Heitbrink [MVP]
Hi,
Post by Andrew
Sanctuary Device Controlcan doesn't support Active Directory's GPO.
Right. And IMHO it doesn´t even need to.
Post by Andrew
This old school tool can be managed only from non-standard GUI (it
even doesn't support MMC!).
Better it is. No one needs MMC 3.0 ... :-)
Post by Andrew
Take a look at more modern solutions, such as Safeend
(www.safeend.com) or DeviceLock (www.devicelock.com).
I know Devicelock, but I like to stay on my familar ones.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Mark Heitbrink [MVP]
2007-03-16 03:30:03 UTC
Permalink
Hi,
Post by rickym61
Thanks both for your replies, My company would prefer to not have to spend a
lot of money to 3rd party, would be preferable if there was some GPO
settings..
there is, you can deny start of the driver. The question/goal was, if
I remember it right: How to deny it to admins or to specific security
groups. And the only answer is: it can be really accomplished.
It´s not in the model of GPO.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
rickym61
2007-03-16 23:39:14 UTC
Permalink
Hi Mark,

You state "there is, you can deny start of the driver." how would this be
accomplished, which GPO setting would this be?

"How to deny it to admins or to specific security groups. "
The above refers to those that have elevated admin rights, power users, i.e.
the Application Developers, App Support teams, The majority in our company
do not come under this scope, most do not have elevated admin rights, but it
would be nice to be able to stop those who like to "tweak" their computers.

Thanks.
Ricky.
Post by Mark Heitbrink [MVP]
Hi,
Post by rickym61
Thanks both for your replies, My company would prefer to not have to spend a
lot of money to 3rd party, would be preferable if there was some GPO
settings..
there is, you can deny start of the driver. The question/goal was, if
I remember it right: How to deny it to admins or to specific security
groups. And the only answer is: it can be really accomplished.
It´s not in the model of GPO.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Mark Heitbrink [MVP]
2007-03-19 11:30:50 UTC
Permalink
Hi,
Post by rickym61
You state "there is, you can deny start of the driver." how would this be
accomplished, which GPO setting would this be?
None existing, you have to use an own ADM Template, or you have
to integrate it manually in a SecurityTemplate (*.inf) that you
import

----------- driversample.adm -----------
; edit "Name of your driver"
; edit "Keyname of driver"

CLASS MACHINE

CATEGORY "Services and Driver"
POLICY "Name of your driver"
KEYNAME "System\CurrentControlSet\Services\Keyname of Driver"
PART "Startbehavior" DROPDOWNLIST
VALUENAME "Start"
ITEMLIST
NAME "Boot" VALUE NUMERIC 0
NAME "System" VALUE NUMERIC 1
NAME "Automatic" VALUE NUMERIC 2 DEFAULT
NAME "Manuell" VALUE NUMERIC 3
NAME "Deactivated" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
----------- schnapp usb.adm -----------
Post by rickym61
"How to deny it to admins or to specific security groups. "
The above refers to those that have elevated admin rights,
No, these ones can still start/stop the driver.
Post by rickym61
the Application Developers, App Support teams, The majority in our company
do not come under this scope, most do not have elevated admin rights,
So you don´t need the policy ... and if they are admins, they still can get
ownership and you can´t deny it, because they are admins.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Continue reading on narkive:
Loading...