Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Stop User mapping Network Drives

Status
Not open for further replies.
rdrunner40

rdrunner40

MIS
Apr 25, 2002
156
GB
Hi,

I have been presented with a problem. I have been tasked with setting up a PC solely to view the company Intranet.

This PC is to be in the factory which raises a few security issues .... i can restrict access to the network via login hours ....

I need to be able to restrict them to access to the INTERNET which i have done via the Internet USers group off the server.

What i have not been able to do is the following :

I have a WIN XP PRO PC and i have setup a user for this PC as a restricted USER, What i want to do is not allow them to MAP any Network Drives from this users login.

I also would like to restrict access to ALL other PC's on the domain as well..... any ideas please

Can this be done ? if so how .....

regards

Murray
 
Sort by date Sort by votes
Snetcfg is a sample tool in the MS Driver Development Kit
(...\src\network\config\netcfg­) that must be compiled into an exe from the source (C/C++?) before it can be used. It can list, install and uninstall most network components (note: Win2k and WinXP only).

More about MS Driver Development Kit here:

Fortunately, you can download a compiled version of Snetcfg.exe (note different version depending on OS; the link to the XP version is on the second line) at
Tip 4705

Copy this into %windir%\system32

For the user you need to disable File and Printer sharing, add to the logon script:

snetcfg.exe -v -u MS_Server

If there are other users of the computer, you need to modify their logon scripts to re-enable File and Printer Sharing on this computer. Add to their logon scripts both of these lines:

snetcfg.exe -v -u MS_Server
snetcfg.exe -v -l %windir%\Inf\NETSERV.INF -c s -i MS_Server

(Special thanks to Torgeir, MS-MVP)

A second, different, approach to this would be to block for that user in the firewall the following port settings:

The following ports are associated with file sharing and server message block (SMB) communications:

• Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139.

• Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).

For XP SP2, you can script the firewall in the logon script:
Or use Netsh.exe to create firewall settings "dump" configurations, that can be used to "exec" a body of firewall settings saved with the dump to a filename.
 
Upvote 0 Downvote
Hi

I have been and got the program as suggested...

I have two questions....

Ques One - Do I do this on the client PC that is going to be in the factory

I take it i am copying the snetcfg.exe into the following folder....

Copy this into %windir%\system32


Ques Two
snetcfg.exe -v -u MS_Server

I am adding this to the relevant login script on the server... I take it that this disables Files and Printer Sharing on the client PC AND NOT the Server....

Will this also stop them from seeing any local C: on other PC's within the Domain or do i need to go around all the PC's within the domain and set permissions up ?

regards

Murray
 
Upvote 0 Downvote
snetcfg disables File and Printer sharing. Without these services, the workstation cannot map or share folders, files and printers.

"I am adding this to the relevant login script on the server... I take it that this disables Files and Printer Sharing on the client PC AND NOT the Server...."

As long as it is not in the logon script for any server user, and only in the workstation user logon script kept at the server.

This will stop any sharing or mapping of network resources.

 
Upvote 0 Downvote
Why not just use a GPO and hide all drive letters above their local drives? You can also via GPO remove the MAP NETWORK DRIVE option by hiding the Tools menu.

For info on how to hide the drives, see my new FAQ on the subject. faq931-5882

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
What about the context menu?
What about Network Neighborhood?
What about the net use or net share commands?

The fact that a drive letter is hidden does not prevent a map nor prevent a share.
 
Upvote 0 Downvote
You are of course correct Bill. They should through the same GPO hide those elements too.

1. Remove Right Click context menus
2. Hide Network Neighborhood
3. Prevent access to Command Prompt

I would also remove the Run command.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
1
Views
842
pjw001
pjw001
VicM
  • Locked
  • Question
Change name not showing in user account 1
Replies
13
Views
1K
guitarzan
guitarzan
hamburg18w
  • Locked
  • Question
Task Host is Stopping the Shutdown
Replies
1
Views
949
Ign3us
Ign3us
xwb
  • Locked
  • Question
Switching to admin user when installing msi
Replies
0
Views
185
xwb
xwb
keithinoz
  • Locked
  • Question
clean up network locations 1
Replies
3
Views
276
Beilstwh
Beilstwh

Part and Inventory Search

Sponsor

Back
Top