We are planning to migrate from workgroup to Active Directory ( Windows Server 2008 R2: domain controller, DNS and Windows XP/7: workstation ). At this moment some computers are not allowed to access Internet ( we achieve this but letting blank the fields for DNS from network configuration window). Users does not have administrative privileges so they cannot change the settings. This works well no matter what Internet browser the users uses.
Can we do this in an Active Directory environment?
I think you're going about this the wrong way. uSlackr's idea would work. You can set a proxy server in group policy, but as Nixphoe said, that would only work for IE. Nixphoe's idea breaks the function of Active Directory so should be avoided. Every method for doing this using Active Directory is going to have some drawbacks.
The solution (even if it's not the answer you want) is to do this at your firewall. Most good firewalls have the ability to block internet access for a group of IP addresses. Just make sure those computers get the correct IP addresses but putting them in their own special VLAN on the switches or creating DHCP reservations for them.
If this is all in 1 subnet, just don't configure a gateway if you are using DHCP or configure it to something incorrect. The PCs would be able to hit everything on their subnet, and nothing outside it...simple.
Before we bought web filter software, we accomplished this by setting the user's proxy settings to a non-existent proxy. This could be handled through a group policy setting or a user-based login script. As others have said, this will only work for IE and programs that use Windows Internet Settings.
This will only work with 7 and 2008 unfortunately, but firewall rules via GPO? Why not block outbound traffic on known ports (80, 443) to anything not in the local subnets for AD (if you need that, that is) and do so through Group Policy. Just occurred to me. Not sure if it is that practical because
You could use ISA or TMG with AD integration, use a rule to allow access depend on "internet access" AD group membership. Include WPAD config in DNS so that there is no config required for all end user devices and browsers.
Is there any objection to using a web filtering appliance like a Barracuda Web Filter? It's AD-aware and would probably be a more robust solution.
No, you cannot use the same method in an active directory enviroment. AD is reliant on DNS to work correctly.
A couple of of options that can be used instead off the top of my head:
- Use a proxy server
- Force everyone through a proxy and have it block those that should not have internet access
- Block access for those machines at the firewall/router
Both of those approaches would be a better approach anyway since your uses could just go and set DNS servers in their configs now and your "protection" is useless.
So, you can set up the AD DNS servers internally to not forward requests to the root DNS servers, which will give you much the same effect; you'll have to put the AD DNS servers in the clients' DNS config, but DNS resolution will be able to go no further. However, this is a very weak way of blocking internet access, as your users would be able to memorize a DNS server address (such as Google's, 220.127.116.11), and then use
nslookup to resolve DNS queries by hand.
If you do want to proceed, here is how to enable forwarders (turn them off, of course), and here is how to manage root hints (remove these entirely).
Or you could leave the gateway field blank... AD needs DNS but in most cases your machines will get by without a gateway assuming they need no access at all to the internet.
You could use a startup script to remove the default route.
C:\> ROUTE DELETE 0.0.0.0
This would prevent the computer from communicating with any hosts outside the local subnet, but still allow all communication within your local network. You can use organizational units in Active Directory so that the group policy only applies to the computers you specify.