User-specific DNS settings?

[TwiceSliced]

We're running Windows SBS 2003, and would like a specific user account (which happens to be a restricted user) to have specific DNS settings, regardless of workstation.

That should be possible via GPO, but isn't working.

DHCP seems to be workstation-specific rather than user-specific, and manual modifications will affect other users on those workstations.

Ideas?

Thanks.

 

[Skud]

What is the ultimate goal that you need specific DNS settings for? There may be a different way of going about it.

Riley

 

[TwiceSliced]

Free web content filtering... OpenDNS, to be exact.

 

[ND40oz]

Loopback mode and filter the gpo's apply settings just for that user.

 

[gimp]

We're running Windows SBS 2003, and would like a specific user account (which happens to be a restricted user) to have specific DNS settings, regardless of workstation.

That should be possible via GPO, but isn't working.

DHCP seems to be workstation-specific rather than user-specific, and manual modifications will affect other users on those workstations.

Ideas?

Thanks.

the GPO is a Computer Policy, meaning it's a policy that's applied to the PC, not the user. Hence why you probably can't get it to work.

 

[TwiceSliced]

Loopback mode? Perhaps I've misunderstood your recommendation, but I want to filter content (i.e. no pornography), not block web access completely. OpenDNS does that nicely, but there doesn't seem to be a way to modify DNS settings on a per-user basis... At least not one that works.

As for filtering the GPO for just that user, that's what I did with the "DNS Server" GPO setting, but it isn't working... Even after running "gpupdate /force" and restarting.

 

[Skud]

Well, I think it's a catch-22 using a GPO..

Being able to use group policy relies VERY heavily on DNS. If you change your DNS servers to OpenDNS then services running on that PC which require communication with your local DNS servers (ie. Active Directory, internal name resolution, network browsing, etc.) will all stop working.

I think there are only going to be two ways to look at this:

1) Have a dedicated workstation that is "locked down"
2) Have some sort of content filtering solution with an Active Directory tie-in. Unfortunately, I don't think any of those are free.

If you want to do it per-user regardless of which workstation they are on then I think #2 is your only solution.

However, if the list of websites you need that user to go to are very small you can do it with a GPO and playing with the proxy setting. You essentially set IE to use a proxy and point it to the localhost, but fill in the "don't use a proxy for these addresses" box with the websites you want a user to go to. The only catch is that this list can only be 254 characters long.

Riley

 

[TwiceSliced]

...But GPOs have "User Configuration" sections and can be filtered on a per-user basis, so I was being hopeful.

 

[gimp]

...But GPOs have "User Configuration" sections and can be filtered on a per-user basis, so I was being hopeful.

there is, unfortunately the DNS Setting is in Computer Configuration, which are GPO's applied to a machine, instead of a user.

There are no DNS Settings available in the User Configuration GPO's.


edit: oh yeah, and what Skud said. If the machine does NOT have the DC as a DNS IP, domain functions will cease to work.

 

[TwiceSliced]

Being able to use group policy relies VERY heavily on DNS. If you change your DNS servers to OpenDNS then services running on that PC which require communication with your local DNS servers (ie. Active Directory, internal name resolution, network browsing, etc.) will all stop working.

Luckily, this user account only needs to access one network resource; a single shared folder, and that can be mapped using an IP address, so that's not a big deal. That's why OpenDNS is a feasible solution in this situation.

I've also considered looking into editing our login script for this user, but that would mean editing it for everyone else in order to re-enable DHCP when other users log-in.

 

[ND40oz]

Loopback mode? Perhaps I've misunderstood your recommendation, but I want to filter content (i.e. no pornography), not block web access completely. OpenDNS does that nicely, but there doesn't seem to be a way to modify DNS settings on a per-user basis... At least not one that works.

As for filtering the GPO for just that user, that's what I did with the "DNS Server" GPO setting, but it isn't working... Even after running "gpupdate /force" and restarting.

Loopback mode is for applying user settings to policies applied to computers, won't work in this case, since the setting is only in the computer section, I misunderstood what type of policy you were trying to apply at first.

As for applying the policy just for that user, you applied the gpo to the OU that the computer was in correct? And then used filtering to give only that user read and apply rights to the policy?

 

[gimp]

Luckily, this user account only needs to access one network resource; a single shared folder, and that can be mapped using an IP address, so that's not a big deal. That's why OpenDNS is a feasible solution in this situation.

I've also considered looking into editing our login script for this user, but that would mean editing it for everyone else in order to re-enable DHCP when other users log-in.

create a logoff script to revert settings and only apply that to the one user?
of course, things could get quirky if he doesn't properly log off the machine and the logoff script never runs....
and I didn't even think about modifying the GPO permissions as ND40oz stated. That would probably be your best bet.

 

[TwiceSliced]

Two interesting ideas... I'll look into them. Thanks!

 

[keenan]

If you have a place to run a filtering proxy, there are several free ones available, or most non-filtering proxy setups (I think SBS includes one? but I'm not a Windows guy...) would allow you to do DNS lookups on OpenDNS. Then you can use the GPO to force that user to use the proxy, and other users not.

 

[Skud]

Luckily, this user account only needs to access one network resource; a single shared folder, and that can be mapped using an IP address, so that's not a big deal. .

You may still have issues with authentication. Every time you access a network resource that is part of the domain you check with a DC to see if you have access. Kerberos may be messed up and you may not get your proper tickets when you log on. Log ons will also be slow as well.

It may still work though, albeit slowly. Give it a try and let us know.

Riley

 

[YeOldeStonecat]

If you have a place to run a filtering proxy, there are several free ones available, or most non-filtering proxy setups (I think SBS includes one? but I'm not a Windows guy...) .

SBS Premium Edition includes ISA Server, SBS Standard Edition does not.

If the business has a need to do this for end users, IMO it's time to put in a web/content filtering appliance which supports groups of users.

I wouldn't mess with DNS, as mentioned above a few times, with Windows Active Directory, you need servers and workstations to look at the domain controllers IP for their DNS server. Trying to play tricks with this even after logon, IMO would lead to issues. Although if this workstation needs access to just one share on the server, and it's not going to use Outlook to Exchange, could probably fiddle with this, even unjoin it from the domain and have it run in workgroup mode, as it should still find the server share via WINS...since SBS runs WINS by default.

 

[ElvisG]

even unjoin it from the domain and have it run in workgroup mode

The simplest solution since he isn't using anything but a shared drive.

Demote from AD to workgroup
Create two account (one for admin and the other the user)
Give the user a limited account
Change whatever DNS settings you like

5 minutes and you are done.

 

[kevinzak]

Or you could just fire whichever employee is looking at porn at work. Just sayin'.

 

[gimp]

The simplest solution since he isn't using anything but a shared drive.

Demote from AD to workgroup
Create two account (one for admin and the other the user)
Give the user a limited account
Change whatever DNS settings you like

5 minutes and you are done.

he needs it to affect the user regardless of the workstation the user logs on to.
so this fails

 

[TwiceSliced]

Or you could just fire whichever employee is looking at porn at work. Just sayin'.

Heh, I would, but this is for a 12-computer lab with zero budget at a community centre. The issue is that they use it for employee training as well as after-school programs.

 

[exchange keys]

I don't really like this solution, but eh...throwing it out there.

If the user is only using Internet Explorer 7, you could download the .adm (http://www.microsoft.com/DOWNLOADS/...81-6462-4fda-8ee5-fcb8264c44b1&displaylang=en) and set up the GPO for the user there to a proxy server (in this case, it would be the loopback). This will follow the end-user to whatever computer, and it will only allow the websites you want the user to use. I believe it just writes to this registry key called "ProxyOverride".

However, if homey decides to install Firefox or use a portable app, then this goes to shit. This also will affect ALL his Internet browsing on IE, so every legitimate websites would need to be added to the exemptions list, and do another log off/log on (gpupdate /target:user /force)

I would go with the OpenDNS solution instead -- it is much better to administer this stuff through a centralized point. Otherwise, get a real Web Proxy server in-place.

 

[TwiceSliced]

As for applying the policy just for that user, you applied the gpo to the OU that the computer was in correct? And then used filtering to give only that user read and apply rights to the policy?

Yes, that's what I initially tried... Either I've done something wrong, or it just doesn't work.

As for the log-on and log-off scripts, that idea seems to be a bust. I've written a script that will change the settings, but the user needs to be a local administrator for it work; because the filtered user is a restricted user, no dice. I looked into creating a dummy local admin account and using "run as", but Windows won't allow me to include the password in the script; that apparently requires third-party software... And will ultimately create a security vulnerability anyway.

Looks like I'm out of luck, short of setting-up a proxy server.

 

[keenan]

It'd be a bit of a hack and possibly a pain to maintain, but maybe if you set up an 'automatic proxy detect' script (see here) setting all the blocked sites to use 'localhost' (or some other invalid address) as the proxy and everything else to direct, and forced it upon that user you could achieve your goal.

Has the same caveat exchange keys mentions though in that it only applies to applications that use the Internet Settings dialog.

 

[TwiceSliced]

An update:

I set-up FreeProxy on an old tower we had lying around, and pointed it at OpenDNS. Then I put together a GPO for the restricted accounts that set IE to use the proxy server, removed the "Connections" tab from "Internet Options", and blocks (by way of path rules) the users from running Firefox, Chrome, Opera, and Safari.

Not comprehensive, but free and enough to keep the porn from all but the most enterprising kids.

Thanks for the suggestions, everyone!