I recently found some of our staff with local admin privileges we’re changing the DNS servers on their PCs in an attempt to subvert Internet content filtering.
In actual fact all they were doing was causing problems with Outlook connectivity and local network access but it raised an interesting red flag that some users – despite not being local administrators or network administrators – were able to change network settings on their PC.
A simple fix for this lies in Group Policy on the Domain Controller – I was using Small Business Server 2011 but this should work equally well for a Server 2008, Server 2008 R2 or Server 2012 based domain controller.
Note: For anyone in charge of a Small Business Server, I highly recommend the Windows Small Business Server 2011 Administrator’s Pocket Consultant
- On the Domain Controller go to Administrative Tools > Group Policy Management
- Find the appropriate container for the users you want to target – on our Small Business Server 2011 network this was:
Domains > ourDomain.local > MyBusiness > Users > SBSUsers
- Right click the container and select Create a GPO in this domain, and Link it here….
- Right click the new GPO Link and select Enforced
- Right click the new GPO Link and select Edit (a new Group Policy Management Editor window will appear)
- Browse to the following location:
User Configuration > Policies > Administrative Templates > Network > Network Connections
- In the right hand pane, right click on Prohibit access to properties of a LAN connection and select Edit
- select Enabled and click OK
- Close all the dialog boxes and you’re done!
In order for the change to take affect I recommend restarting the client machines but you can try running gpupdate /force from a command prompt with elevated privileges.