active-directoryldaprolesgroup-policygpo

Active Directory security group controls and Group Policy (OU) restrictions and permissions


We are looking for a way to apply restrictions to Active Directory groups such that we disallow some or all of the following capabilities for the given set of users/ machines:

A breakdown of the combination of controls (.ADMX policies, etc.) that could be applied to user or computer configurations (or both) that would address this controls need would be greatly appreciated!


Solution

  • • You can do the required through Group policies itself. Please refer the steps below for each action to be blocked one by one: -

    1. Block screen capture through ‘Alt+PrtSc’ and blocking ‘snipping tool’

    To Disable Print Screen via Group Policy  Create a .reg file containing:

     ‘ Windows Registry Editor Version 5.00
    
       [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
    
       "Scancode Map"=hex:00,00,00,00,00,00,00,00,04,00,00,00,00,00,2a,e0,00,00,37,e0,\
    

    00,00,54,00,00,00,00,00 ‘

    Apply the registry modify through a script (batch file) set at the computer level. Reboot the computer after GPO applied.

    To Disable Snipping Tool in Windows 10  Navigate to the following setting:

    ‘ User Configuration --> Administrative Templates --> Windows Components --> Tablet PC --> Accessories.

    Here, on the right-side, double-click on ‘Do not allow Snipping Tool to run’ to open its ‘Properties’ and select ‘Enabled’ option to disable the Sniping Tool in Windows 10. ’

    1. Block local as well as network printing through group policy

    To Disable local as well as network printing options --> Go to group policy editor ‘ User Configuration --> Administrative Templates --> Printers --> Browse the network to find printers --> Disable; Enable Device Control Printing Restrictions --> Enable; Prevent addition of printers --> Enabled; Browse a common website to find printers --> Disabled’

    1. Blocking of Saving and Downloading files through Group Policy

    To Disable downloads of any kind on Windows system --> Go to group policy editor ‘ User Configuration --> Administrative Templates --> Windows Components --> Internet Explorer --> Security Features --> Restrict File Download --> All Processes --> Enabled; User Configuration --> Administrative Templates --> Windows Components --> Internet Explorer --> Security Page --> Internet Zone --> Allow File Downloads --> Disabled; Allow Font Downloads --> Disabled; Allow Prompting for File Downloads --> Disabled ’

    To do the same for Google Chrome, go to ‘ Computer Configuration --> Administrative Templates --> Google --> Google Chrome --> Allow Download Restrictions --> Block all downloads --> restart the client systems’

    1. Blocking of copy and paste actions

    To block copy and paste actions completely, it is not possible through group policy except through Azure RMS (Rights Management Services) as the user can copy and paste within the host/system or network drive if given considerate permissions. Though, you can block the clipboard access to users accessing the systems virtually through RDP which will disallow the users from using the clipboard between the RDP session and their desktop. The user will still be able to copy and paste on the server itself.

    For this, go to ‘Computer Configuration --> Adminstrative Templates --> Windows Components --> Remote Desktop Session host --> Device and Resource Redirection. Once there, enable the ‘Do not allow clipboard redirection’ option.