0

I've added the a logon script for specific users so they have no access to the internet

@ECHO OFF

set vardns1=1.1.1.1
set vardns2=1.1.1.1


ECHO Setting Primary DNS
netsh int ip set dns name = "Local Area Connection" source = static addr = %vardns1%

ECHO Setting Secondary DNS
netsh int ip add dns name = "Local Area Connection" addr = %vardns2%

ipconfig /flushdns

exit

How do I put the DNS back to default, that is automatically assigned DNS when they logoff?

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
Andy Peterson
  • 31
  • 1
  • Wondering if this would do it `@ECHO OFF set vardns1= set vardns2= ECHO Setting Primary DNS netsh int ip set dns name="Local Area Connection" dhcp ECHO Setting Secondary DNS netsh int ip add dns name="Local Area Connection" dhcp ipconfig /flushdns exit ` – Andy Peterson Oct 31 '17 at 20:56
  • Are these machines part of an active directory domain? This will affect that pretty badly. I'd expect it to interfere with email, patch delivery, etc. – uSlackr Nov 01 '17 at 13:25
  • Yes, it is part of AD. The patches etc doesn't matter. These setting only used for a specific number of users for a month and after that it will back to normal. Basically temporary settings. – Andy Peterson Nov 01 '17 at 16:07
  • That seems a pretty awful way of limiting access.... but looking at that, I would suggest that using 0.0.0.0 instead of 1.1.1.1 (which is a valid IP address) would be much better (and fail a lot more quickly). I've done this in the last on Linux hosts (in /etc/hosts) on occassion. – Cameron Kerr Nov 02 '17 at 11:43

2 Answers2

2

This is not a good practice for disabling network connections for a user. As a matter of fact it doesn't prevent the user from accessing the internet at all:

  • It's easy for the user to set DNS settings back to normal. They can change it from command line or create their own scripts. Because if you limit that, you won't be able to use the login script in the first place.
  • It's possible to add a HTTP proxy by IP address to the browser settings and continue browsing, as the DNS resolution now happens on the proxy side.

Configure network connection restrictions with Group Policy, instead.

User Configuration\Administrative Templates\Network\Network Connections

If you need to restrict anything, Group Policy is here for that. Any setting made using a login script can be reverted.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • The user cannot modify the network settings so they won't be able to change the DNS back. The network restriction GPO settings from what I can tell only disables the users from modify the network settings, which is already enforced. – Andy Peterson Oct 31 '17 at 21:12
  • The above logon script does work but I just want to remove static dns settings when the user logs off. – Andy Peterson Oct 31 '17 at 21:21
  • 2
    `Logon script ... user cannot modify the network settings` - Logon scripts execute with the permissions of the user. If they can set the DNS settings they can unset the DNS settings. – Zoredache Oct 31 '17 at 22:59
  • This is tried and tested and the user can't change the DNS. My question was how to set the DNS back to dhcp via a logoff script – Andy Peterson Nov 01 '17 at 07:13
  • Limiting access to phonebooks doesn't prevent making phone calls. Updated my answer to give some examples on how this applies here. – Esa Jokinen Nov 01 '17 at 07:14
  • Users don't have access to command line and they can't create there own scripts, and if they could they can't do nothing with it. HTTP proxy won't work since the proxy settings is only limited to IE. In the environment these computers are in the login script is doing it's job. There is no need to dwell into my methods since you don't have the full picture of the users restrictions. I just wanted a way to remove the forced DNS as they log off. Nevertheless, I have found another way to deal with it without messing around with the DNS or HTTP Proxy, look at my answer below. – Andy Peterson Nov 01 '17 at 09:13
  • Yes, I even +1 it since that's the correct method. :) – Esa Jokinen Nov 01 '17 at 09:46
2

I have found a setting in the GPO which might just do the job instead of messing around with the DNS settings.

User Configuration\Administrative Templates\System\Internet Communication Management

Restrict Internet Communication

I won't be able try this until another 2 days.

Andy Peterson
  • 31
  • 1