Re: [Active Directory + .NET] Enable / Disable GPOs linked to an Organizational Unit in .NET Code

"Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
newsp.u0tbk4rs48yz2f@dennis.fritz.box...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> I think the topic explains it all.
>
> I am trying to set up a Internet block in my school so our
> students don't surf the web when they are not supposed to.
>
> I am using IPSec in GPO for this. Blocking all traffic except
> for 192.168.x.x traffic.
>
> (Side question, what subnet mask and IP represents this range?
> I tried 192.168.0.0 and 255.255.0.0. Is this right? I did not
> test it yet)
>
> After this I wanted to give teachers the possibility to run
> a ASP.NET Website to block all students' Internet Connections.
>
> This activates the GPO linked to the Student PC OU.
>
> Then it runs gpupdate (or something like this. To reload GPO)
> by WMI or with PSExec on the PCs and the Internet should be
> theoretically blocked.
>
> I already tried this with one hostname. It worked instantly
> after GPupdate was applied. The hostname was blocked
> and unable to be accessed.
>
> Thank you in advance
>
>
>
> Dennis Joachimsthaler
>
>
> P. S.: Sorry, that I posted this in adsi.general too!<!--colorc--><!--/colorc-->


I would recommend to cross-post, not multi-post. I cross-posted my response.

As for what subnet, it depends on your internal subnet. If your internal
subnet is 192.168.20.0/24, then I would use 255.255.255.0. You have to match
your internal subnet. If you want the whole 192.168.0.0/16 range, then you
can use 255.255.0.0.

I would actually suggest and consider getting an ISA server to control
internet access, or better, a third party device such as Packeteer. WIth
what you are doing, you may be blocking the ability to get necessary Windows
updates and other necessary updates.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
for regional support phone numbers.

 

Re: [Active Directory + .NET] Enable / Disable GPOs linked to anOrganizational Unit in .NET Code

Am 25.09.2009, 16:02 Uhr, schrieb Ace Fekay [MCT]
<aceman@mvps.removethispart.org>:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
> newsp.u0tbk4rs48yz2f@dennis.fritz.box...<!--coloro:green--><span style="color:green <!--/coloro-->
>>
>> I think the topic explains it all.
>>
>> I am trying to set up a Internet block in my school so our
>> students don't surf the web when they are not supposed to.
>>
>> I am using IPSec in GPO for this. Blocking all traffic except
>> for 192.168.x.x traffic.
>>
>> (Side question, what subnet mask and IP represents this range?
>> I tried 192.168.0.0 and 255.255.0.0. Is this right? I did not
>> test it yet)
>>
>> After this I wanted to give teachers the possibility to run
>> a ASP.NET Website to block all students' Internet Connections.
>>
>> This activates the GPO linked to the Student PC OU.
>>
>> Then it runs gpupdate (or something like this. To reload GPO)
>> by WMI or with PSExec on the PCs and the Internet should be
>> theoretically blocked.
>>
>> I already tried this with one hostname. It worked instantly
>> after GPupdate was applied. The hostname was blocked
>> and unable to be accessed.
>>
>> Thank you in advance
>>
>>
>>
>> Dennis Joachimsthaler
>>
>>
>> P. S.: Sorry, that I posted this in adsi.general too!<!--colorc--><!--/colorc-->
>
>
> I would recommend to cross-post, not multi-post. I cross-posted my
> response.
>
> As for what subnet, it depends on your internal subnet. If your internal
> subnet is 192.168.20.0/24, then I would use 255.255.255.0. You have to
> match
> your internal subnet. If you want the whole 192.168.0.0/16 range, then
> you
> can use 255.255.0.0.
>
> I would actually suggest and consider getting an ISA server to control
> internet access, or better, a third party device such as Packeteer. WIth
> what you are doing, you may be blocking the ability to get necessary
> Windows
> updates and other necessary updates.
><!--colorc--><!--/colorc-->

I do crossposts by adding a comma and another Newsgroup in my newsgroup
column up there, right?

Also... We are a school having the subnets 192.168.1., 192.168.2. and
192.168.3.

ISA server? Currently our server residing on IP 1.1 has all the student PCs
gateway options set to it.

It routes to the 2.2 IP, which is another server on the school management.
School PCs do not have access to this .2 network, since it is physically
not connected. Only through a server with two network cards. And there's
only routing to the internet set up.

This means physically it is like this:

Student PC -> Server 1 -> Server 2 -> Standard Router


We prevent all PCs from taking patches for Windows. It has caused
compatibility problems with our software more than once. Software began
to stop working with some patches.

Because of that, this is not a problem.

We do not have much money currently, so we can not buy any software
and devices for this.

IPSec is an already built in option, needs no installing at all, works
instantly when using gpupdate and is free if you already have Windows
Domain Servers. Also it allows exceptions...

I already have the GPO dlls from the gpo manager. But I can't figure out
which classes and functions to use to achieve what I need...

I have LDAP:// paths, everything. I just need a fast option to
activate and deactivate the links between a GPO and an OU

Thanks in advance...

 

"Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
newsp.u0thuonp48yz2f@dennis.fritz.box...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Am 25.09.2009, 16:02 Uhr, schrieb Ace Fekay [MCT]
> <aceman@mvps.removethispart.org>:
><!--coloro:green--><span style="color:green <!--/coloro-->
>> "Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
>> newsp.u0tbk4rs48yz2f@dennis.fritz.box...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>>
>>> I think the topic explains it all.
>>>
>>> I am trying to set up a Internet block in my school so our
>>> students don't surf the web when they are not supposed to.
>>>
>>> I am using IPSec in GPO for this. Blocking all traffic except
>>> for 192.168.x.x traffic.
>>>
>>> (Side question, what subnet mask and IP represents this range?
>>> I tried 192.168.0.0 and 255.255.0.0. Is this right? I did not
>>> test it yet)
>>>
>>> After this I wanted to give teachers the possibility to run
>>> a ASP.NET Website to block all students' Internet Connections.
>>>
>>> This activates the GPO linked to the Student PC OU.
>>>
>>> Then it runs gpupdate (or something like this. To reload GPO)
>>> by WMI or with PSExec on the PCs and the Internet should be
>>> theoretically blocked.
>>>
>>> I already tried this with one hostname. It worked instantly
>>> after GPupdate was applied. The hostname was blocked
>>> and unable to be accessed.
>>>
>>> Thank you in advance
>>>
>>>
>>>
>>> Dennis Joachimsthaler
>>>
>>>
>>> P. S.: Sorry, that I posted this in adsi.general too!<!--colorc--><!--/colorc-->
>>
>>
>> I would recommend to cross-post, not multi-post. I cross-posted my
>> response.
>>
>> As for what subnet, it depends on your internal subnet. If your internal
>> subnet is 192.168.20.0/24, then I would use 255.255.255.0. You have to
>> match
>> your internal subnet. If you want the whole 192.168.0.0/16 range, then
>> you
>> can use 255.255.0.0.
>>
>> I would actually suggest and consider getting an ISA server to control
>> internet access, or better, a third party device such as Packeteer. WIth
>> what you are doing, you may be blocking the ability to get necessary
>> Windows
>> updates and other necessary updates.
>><!--colorc--><!--/colorc-->
>
> I do crossposts by adding a comma and another Newsgroup in my newsgroup
> column up there, right?
>
> Also... We are a school having the subnets 192.168.1., 192.168.2. and
> 192.168.3.
>
> ISA server? Currently our server residing on IP 1.1 has all the student
> PCs
> gateway options set to it.
>
> It routes to the 2.2 IP, which is another server on the school management.
> School PCs do not have access to this .2 network, since it is physically
> not connected. Only through a server with two network cards. And there's
> only routing to the internet set up.
>
> This means physically it is like this:
>
> Student PC -> Server 1 -> Server 2 -> Standard Router
>
>
> We prevent all PCs from taking patches for Windows. It has caused
> compatibility problems with our software more than once. Software began
> to stop working with some patches.
>
> Because of that, this is not a problem.
>
> We do not have much money currently, so we can not buy any software
> and devices for this.
>
> IPSec is an already built in option, needs no installing at all, works
> instantly when using gpupdate and is free if you already have Windows
> Domain Servers. Also it allows exceptions...
>
> I already have the GPO dlls from the gpo manager. But I can't figure out
> which classes and functions to use to achieve what I need...
>
> I have LDAP:// paths, everything. I just need a fast option to
> activate and deactivate the links between a GPO and an OU
>
> Thanks in advance...<!--colorc--><!--/colorc-->


That is correct about cross-posting.

Since this is coming down to a GPO question, I cross-posted it to the GPO
group. I removed microsoft.public.adsi.general, since that is not relative
to your question/subject, but I retained General, since that is your
original posted group.

If there is internet access and it is from from 1.1 to 2.2, then they have
access to 2.2, that is if they are astute to figure it out, otherwise you
wouldn't have internet access, the way it works.

You could easily use a fake Proxy IP address in a GPO only applied to the
student OU.

I don't know what you mean by the GPO DLLs from the GPO manager. To set a
GPO, you simply use the Group Policy Management Console, and right click the
Student OU, create and link a GPO. Then right click it, and choose Edit.
There are over 800 settings in a GPO, so you have to be careful on what you
change.

GPOs are linked to OUs. Depending on the settings you are trying to control,
they can either be a user based setting, or a computer based setting.

This also means that you must organize your users and computers in their own
respective OUs, meaning creating a Student OU, Student PC OU, Faculty Users
OU, Faculty PC OU, Servers OU (not touching the domain controllers), etc.

So you are saying you want to use IPSec for controlling the student PCs?
Then the GPO with an IPSec Policy will need to be on the Student PC OU, not
on the user account OU, since this is a computer setting. This can also mean
that if they were to logon to a faculty user's PC (if they gain access to
one) that does not have the IPSec policy (eg that you allow faculty to
access the internet), they can get access.

Also, if the "server" in your diagram that has two NICs is a domain
controller, then we refer to that as a multihomed DC, and they are extremely
problematic.

Ace

 

Re: [Active Directory + .NET] Enable / Disable GPOs linked to anOrganizational Unit in .NET Code

Am 25.09.2009, 17:37 Uhr, schrieb Ace Fekay [MCT]
<aceman@mvps.removethispart.org>:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
> newsp.u0thuonp48yz2f@dennis.fritz.box...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Am 25.09.2009, 16:02 Uhr, schrieb Ace Fekay [MCT]
>> <aceman@mvps.removethispart.org>:
>><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> "Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
>>> newsp.u0tbk4rs48yz2f@dennis.fritz.box...
>>>>
>>>> I think the topic explains it all.
>>>>
>>>> I am trying to set up a Internet block in my school so our
>>>> students don't surf the web when they are not supposed to.
>>>>
>>>> I am using IPSec in GPO for this. Blocking all traffic except
>>>> for 192.168.x.x traffic.
>>>>
>>>> (Side question, what subnet mask and IP represents this range?
>>>> I tried 192.168.0.0 and 255.255.0.0. Is this right? I did not
>>>> test it yet)
>>>>
>>>> After this I wanted to give teachers the possibility to run
>>>> a ASP.NET Website to block all students' Internet Connections.
>>>>
>>>> This activates the GPO linked to the Student PC OU.
>>>>
>>>> Then it runs gpupdate (or something like this. To reload GPO)
>>>> by WMI or with PSExec on the PCs and the Internet should be
>>>> theoretically blocked.
>>>>
>>>> I already tried this with one hostname. It worked instantly
>>>> after GPupdate was applied. The hostname was blocked
>>>> and unable to be accessed.
>>>>
>>>> Thank you in advance
>>>>
>>>>
>>>>
>>>> Dennis Joachimsthaler
>>>>
>>>>
>>>> P. S.: Sorry, that I posted this in adsi.general too!
>>>
>>>
>>> I would recommend to cross-post, not multi-post. I cross-posted my
>>> response.
>>>
>>> As for what subnet, it depends on your internal subnet. If your
>>> internal
>>> subnet is 192.168.20.0/24, then I would use 255.255.255.0. You have to
>>> match
>>> your internal subnet. If you want the whole 192.168.0.0/16 range, then
>>> you
>>> can use 255.255.0.0.
>>>
>>> I would actually suggest and consider getting an ISA server to control
>>> internet access, or better, a third party device such as Packeteer.
>>> WIth
>>> what you are doing, you may be blocking the ability to get necessary
>>> Windows
>>> updates and other necessary updates.
>>><!--colorc--><!--/colorc-->
>>
>> I do crossposts by adding a comma and another Newsgroup in my newsgroup
>> column up there, right?
>>
>> Also... We are a school having the subnets 192.168.1., 192.168.2. and
>> 192.168.3.
>>
>> ISA server? Currently our server residing on IP 1.1 has all the student
>> PCs
>> gateway options set to it.
>>
>> It routes to the 2.2 IP, which is another server on the school
>> management.
>> School PCs do not have access to this .2 network, since it is physically
>> not connected. Only through a server with two network cards. And there's
>> only routing to the internet set up.
>>
>> This means physically it is like this:
>>
>> Student PC -> Server 1 -> Server 2 -> Standard Router
>>
>>
>> We prevent all PCs from taking patches for Windows. It has caused
>> compatibility problems with our software more than once. Software began
>> to stop working with some patches.
>>
>> Because of that, this is not a problem.
>>
>> We do not have much money currently, so we can not buy any software
>> and devices for this.
>>
>> IPSec is an already built in option, needs no installing at all, works
>> instantly when using gpupdate and is free if you already have Windows
>> Domain Servers. Also it allows exceptions...
>>
>> I already have the GPO dlls from the gpo manager. But I can't figure out
>> which classes and functions to use to achieve what I need...
>>
>> I have LDAP:// paths, everything. I just need a fast option to
>> activate and deactivate the links between a GPO and an OU
>>
>> Thanks in advance...<!--colorc--><!--/colorc-->
>
>
> That is correct about cross-posting.
>
> Since this is coming down to a GPO question, I cross-posted it to the GPO
> group. I removed microsoft.public.adsi.general, since that is not
> relative
> to your question/subject, but I retained General, since that is your
> original posted group.
>
> If there is internet access and it is from from 1.1 to 2.2, then they
> have
> access to 2.2, that is if they are astute to figure it out, otherwise you
> wouldn't have internet access, the way it works.
>
> You could easily use a fake Proxy IP address in a GPO only applied to the
> student OU.
>
> I don't know what you mean by the GPO DLLs from the GPO manager. To set a
> GPO, you simply use the Group Policy Management Console, and right click
> the
> Student OU, create and link a GPO. Then right click it, and choose Edit.
> There are over 800 settings in a GPO, so you have to be careful on what
> you
> change.
>
> GPOs are linked to OUs. Depending on the settings you are trying to
> control,
> they can either be a user based setting, or a computer based setting.
>
> This also means that you must organize your users and computers in their
> own
> respective OUs, meaning creating a Student OU, Student PC OU, Faculty
> Users
> OU, Faculty PC OU, Servers OU (not touching the domain controllers), etc.
>
> So you are saying you want to use IPSec for controlling the student PCs?
> Then the GPO with an IPSec Policy will need to be on the Student PC OU,
> not
> on the user account OU, since this is a computer setting. This can also
> mean
> that if they were to logon to a faculty user's PC (if they gain access to
> one) that does not have the IPSec policy (eg that you allow faculty to
> access the internet), they can get access.
>
> Also, if the "server" in your diagram that has two NICs is a domain
> controller, then we refer to that as a multihomed DC, and they are
> extremely
> problematic.
>
> Ace
>
><!--colorc--><!--/colorc-->

I will just retain your newsgroup posting settings
(microsoft.public.windows.group_policy,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.general)
since I am not very fluent with this yet, sorry.

I found the ADSI newsgroup in a standard BBS board. They told somebody to
use this one.
He had the same problem as me, so I trusted this.

Well...

The student PCs only have indirect access to 2.2. through 1.1.

1.1 and 2.2 have two NICs.

Student-Server has 1.1 and 2.24 as IP-Adresses
Management-Server has 1.2 and 2.2 as IP-Adresses.

1.1 AND 2.2 are BOTH Domain controllers. But each only control 1.x and 2.x
respectively.

There's a NAT Routing set from 1.1 to 2.2. No network bridges there.


Also I have already set the IPSec rules and all this.

Basically I already have an GPO linked to the two OUs which apply (Room
134 and Room 135).

This GPO linked to them both is disabled on both. Now I want to change
this "disabled" option
for each of the rooms with .NET commands. Basically this will be an
ASP.NET Website with
administrator rights on the domain controller secured by domain
authentication.

Teachers can get in there by typing their user and password.

There will be buttons to disable / enable the block rule. Those first
enable/disable the rule,
then they execute gpupdate on every single student pc to force those rules
instantly.

In theory, no one will be able to go on any website form now on.

I already tried this manually with one PC and only blocking a single
website. It worked
flawlessly.


So I have already set up the whole surroundings. I just need a small piece
of code which
activates those two policies linked to the OU! But the other advices were
also helpful.

 

"Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
newsp.u0tv59tx48yz2f@dennis.fritz.box...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Am 25.09.2009, 17:37 Uhr, schrieb Ace Fekay [MCT]
> <aceman@mvps.removethispart.org>:
><!--coloro:green--><span style="color:green <!--/coloro-->
>> "Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
>> newsp.u0thuonp48yz2f@dennis.fritz.box...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> Am 25.09.2009, 16:02 Uhr, schrieb Ace Fekay [MCT]
>>> <aceman@mvps.removethispart.org>:
>>>
>>>> "Dennis Joachimsthaler" <dennis@efjot.de> wrote in message
>>>> newsp.u0tbk4rs48yz2f@dennis.fritz.box...
>>>>>
>>>>> I think the topic explains it all.
>>>>>
>>>>> I am trying to set up a Internet block in my school so our
>>>>> students don't surf the web when they are not supposed to.
>>>>>
>>>>> I am using IPSec in GPO for this. Blocking all traffic except
>>>>> for 192.168.x.x traffic.
>>>>>
>>>>> (Side question, what subnet mask and IP represents this range?
>>>>> I tried 192.168.0.0 and 255.255.0.0. Is this right? I did not
>>>>> test it yet)
>>>>>
>>>>> After this I wanted to give teachers the possibility to run
>>>>> a ASP.NET Website to block all students' Internet Connections.
>>>>>
>>>>> This activates the GPO linked to the Student PC OU.
>>>>>
>>>>> Then it runs gpupdate (or something like this. To reload GPO)
>>>>> by WMI or with PSExec on the PCs and the Internet should be
>>>>> theoretically blocked.
>>>>>
>>>>> I already tried this with one hostname. It worked instantly
>>>>> after GPupdate was applied. The hostname was blocked
>>>>> and unable to be accessed.
>>>>>
>>>>> Thank you in advance
>>>>>
>>>>>
>>>>>
>>>>> Dennis Joachimsthaler
>>>>>
>>>>>
>>>>> P. S.: Sorry, that I posted this in adsi.general too!
>>>>
>>>>
>>>> I would recommend to cross-post, not multi-post. I cross-posted my
>>>> response.
>>>>
>>>> As for what subnet, it depends on your internal subnet. If your
>>>> internal
>>>> subnet is 192.168.20.0/24, then I would use 255.255.255.0. You have to
>>>> match
>>>> your internal subnet. If you want the whole 192.168.0.0/16 range, then
>>>> you
>>>> can use 255.255.0.0.
>>>>
>>>> I would actually suggest and consider getting an ISA server to control
>>>> internet access, or better, a third party device such as Packeteer.
>>>> WIth
>>>> what you are doing, you may be blocking the ability to get necessary
>>>> Windows
>>>> updates and other necessary updates.
>>>>
>>>
>>> I do crossposts by adding a comma and another Newsgroup in my newsgroup
>>> column up there, right?
>>>
>>> Also... We are a school having the subnets 192.168.1., 192.168.2. and
>>> 192.168.3.
>>>
>>> ISA server? Currently our server residing on IP 1.1 has all the student
>>> PCs
>>> gateway options set to it.
>>>
>>> It routes to the 2.2 IP, which is another server on the school
>>> management.
>>> School PCs do not have access to this .2 network, since it is physically
>>> not connected. Only through a server with two network cards. And there's
>>> only routing to the internet set up.
>>>
>>> This means physically it is like this:
>>>
>>> Student PC -> Server 1 -> Server 2 -> Standard Router
>>>
>>>
>>> We prevent all PCs from taking patches for Windows. It has caused
>>> compatibility problems with our software more than once. Software began
>>> to stop working with some patches.
>>>
>>> Because of that, this is not a problem.
>>>
>>> We do not have much money currently, so we can not buy any software
>>> and devices for this.
>>>
>>> IPSec is an already built in option, needs no installing at all, works
>>> instantly when using gpupdate and is free if you already have Windows
>>> Domain Servers. Also it allows exceptions...
>>>
>>> I already have the GPO dlls from the gpo manager. But I can't figure out
>>> which classes and functions to use to achieve what I need...
>>>
>>> I have LDAP:// paths, everything. I just need a fast option to
>>> activate and deactivate the links between a GPO and an OU
>>>
>>> Thanks in advance...<!--colorc--><!--/colorc-->
>>
>>
>> That is correct about cross-posting.
>>
>> Since this is coming down to a GPO question, I cross-posted it to the GPO
>> group. I removed microsoft.public.adsi.general, since that is not
>> relative
>> to your question/subject, but I retained General, since that is your
>> original posted group.
>>
>> If there is internet access and it is from from 1.1 to 2.2, then they
>> have
>> access to 2.2, that is if they are astute to figure it out, otherwise you
>> wouldn't have internet access, the way it works.
>>
>> You could easily use a fake Proxy IP address in a GPO only applied to the
>> student OU.
>>
>> I don't know what you mean by the GPO DLLs from the GPO manager. To set a
>> GPO, you simply use the Group Policy Management Console, and right click
>> the
>> Student OU, create and link a GPO. Then right click it, and choose Edit.
>> There are over 800 settings in a GPO, so you have to be careful on what
>> you
>> change.
>>
>> GPOs are linked to OUs. Depending on the settings you are trying to
>> control,
>> they can either be a user based setting, or a computer based setting.
>>
>> This also means that you must organize your users and computers in their
>> own
>> respective OUs, meaning creating a Student OU, Student PC OU, Faculty
>> Users
>> OU, Faculty PC OU, Servers OU (not touching the domain controllers), etc.
>>
>> So you are saying you want to use IPSec for controlling the student PCs?
>> Then the GPO with an IPSec Policy will need to be on the Student PC OU,
>> not
>> on the user account OU, since this is a computer setting. This can also
>> mean
>> that if they were to logon to a faculty user's PC (if they gain access to
>> one) that does not have the IPSec policy (eg that you allow faculty to
>> access the internet), they can get access.
>>
>> Also, if the "server" in your diagram that has two NICs is a domain
>> controller, then we refer to that as a multihomed DC, and they are
>> extremely
>> problematic.
>>
>> Ace
>>
>><!--colorc--><!--/colorc-->
>
> I will just retain your newsgroup posting settings
> (microsoft.public.windows.group_policy,microsoft.public.windows.server.active_directory,microsoft.public.windows.server.general)
> since I am not very fluent with this yet, sorry.
>
> I found the ADSI newsgroup in a standard BBS board. They told somebody to
> use this one.
> He had the same problem as me, so I trusted this.
>
> Well...
>
> The student PCs only have indirect access to 2.2. through 1.1.
>
> 1.1 and 2.2 have two NICs.
>
> Student-Server has 1.1 and 2.24 as IP-Adresses
> Management-Server has 1.2 and 2.2 as IP-Adresses.
>
> 1.1 AND 2.2 are BOTH Domain controllers. But each only control 1.x and 2.x
> respectively.
>
> There's a NAT Routing set from 1.1 to 2.2. No network bridges there.
>
>
> Also I have already set the IPSec rules and all this.
>
> Basically I already have an GPO linked to the two OUs which apply (Room
> 134 and Room 135).
>
> This GPO linked to them both is disabled on both. Now I want to change
> this "disabled" option
> for each of the rooms with .NET commands. Basically this will be an
> ASP.NET Website with
> administrator rights on the domain controller secured by domain
> authentication.
>
> Teachers can get in there by typing their user and password.
>
> There will be buttons to disable / enable the block rule. Those first
> enable/disable the rule,
> then they execute gpupdate on every single student pc to force those rules
> instantly.
>
> In theory, no one will be able to go on any website form now on.
>
> I already tried this manually with one PC and only blocking a single
> website. It worked
> flawlessly.
>
>
> So I have already set up the whole surroundings. I just need a small piece
> of code which
> activates those two policies linked to the OU! But the other advices were
> also helpful.<!--colorc--><!--/colorc-->

Sounds like you did your homework.

As far s the code, you are referring to something to trap any web request
forcing anyone to log on, and if authenticated, allows internet access. Many
schools, hotels, and other companies, do this. There are pre-packaged
solutions that involve a proxy server that performs this. This is more of
what it sounds like you need. You can set a proxy server address in all
machines using a GPO, which will invoked your app (or a third party
solution), and come up with an authentication prompt.

To find out more about coding something like this, if not purchasing a
pre-packaged solution, such as Cisco's Authenticating Proxy, an option on
their firewalls, as well as other third party. I believe Squid is free. So
why burden yourself writing something when you can get a free one?

Cisco's Proxy (part of the firewall)
()

Free:
Squid Web Proxy CacheJan 22, 2009 ... Squid is a caching proxy for the Web
supporting HTTP, HTTPS, FTP, and more. ... Squid can reduce your server load
and improve delivery speeds to clients. ... Design by Free CSS Templates.
Template customisation by Alex ...Download - Configuration Examples - Docs -
FAQ


By the way, as I said, multihomed DCs are problematic. I really do not
suggest to use your DCs in the fashion that you've setup. I would rather
suggest to use a non-DC for a routing solution, if you do not want to use a
hardware solution. You may find in some instances, that GPOs may not apply,
logon problems, and other issues that will arise with multihomed DCs. It may
take a tutorial of how AD and it's reliance on DNS works, as well as
understanding AD Site configurations, to understand why. Please read my blog
on multihomed DCs, and how to configure a DC to work (it takes registry and
other settings changes to force it to work).

Multihomed DCs with DNS, RRAS, multiple IPs, and/or PPPoE adapters


Ace