Prevent SBS Users from Changing DNS Servers or LAN Settings

Prevent SBS Users from Changing DNS Servers or LAN Settings

I recently found some of our staff with local admin privileges we’re changing the DNS servers on their PCs in an attempt to subvert Internet content filtering.

In actual fact all they were doing was causing problems with Outlook connectivity and local network access but it raised an interesting red flag that some users – despite not being local administrators or network administrators – were able to change network settings on their PC.

A simple fix for this lies in Group Policy on the Domain Controller – I was using Small Business Server 2011 but this should work equally well for a Server 2008, Server 2008 R2 or Server 2012 based domain controller.

Note: For anyone in charge of a Small Business Server, I highly recommend the [easyazon_link asin=”073565154X” locale=”US” new_window=”yes” nofollow=”default” tag=”bomc-21″ add_to_cart=”default” cloaking=”default” localization=”default” popups=”no”]Windows Small Business Server 2011 Administrator’s Pocket Consultant[/easyazon_link]

  1. Group Policy Management On the Domain Controller go to Administrative Tools > Group Policy Management
  2. Find the appropriate container for the users you want to target – on our Small Business Server 2011 network this was:
    Domains > ourDomain.local > MyBusiness > Users > SBSUsers
  3. Right click the container and select Create a GPO in this domain, and Link it here….
  4. Right click the new GPO Link and select Enforced
  5. Right click the new GPO Link and select Edit (a new Group Policy Management Editor window will appear)
  6. Group Policy Management EditorBrowse to the following location:
    User Configuration > Policies > Administrative Templates > Network > Network Connections
  7. In the right hand pane, right click on Prohibit access to properties of a LAN connection and select Edit
  8. select Enabled and click OK
  9. Close all the dialog boxes and you’re done!

In order for the change to take affect I recommend restarting the client machines but you can try running gpupdate /force from a command prompt with elevated privileges.


Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.