Help On My Network Connections

By apaullo
Mar 31, 2008
  1. HI..i just want to ask for help on my Network COnnections..i want to refrain the users from accessing it...not neccesariyl the control panel but the Network folder only..the users usually change the IP Address on the PC...thus creating address conflict in other PC' there any way or tweak that could disable access on Network folder only??
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    But it's not a folder

    Start Run %SystemRoot%\explorer.exe ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007acc7-3202-11d1-aad2-00805fc1270e}

    The Start menu folder, is just a shortcut, to the explorer network connections shortcut !
  3. apaullo

    apaullo TS Rookie Topic Starter Posts: 80

    umm..sorry if i cant understand heheh...what that ur typing??
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'm just saying, there is no folder (except for the start menu folder - which doesn't matter)
  5. I think you can set a local security policy to disallow users access to the network connections control panel applet, but if your users are logged in as admins there is nothing to stop them from changing this. If you're unwilling/unable to set up proper permissions for whatever reason then just disable the network connections service. This will prevent your average joe from reconfiguring the network, unless they're familiar with starting and stopping services.
  6. jobeard

    jobeard TS Ambassador Posts: 9,156   +598

    threaten them with moving their account to LUA status -- they will not be able to modify system settings.

    btw: Power Users and Network Admin users are above LUA but below Admins in permissions.
  7. apaullo

    apaullo TS Rookie Topic Starter Posts: 80

    i tried using the gpedit.msc..and enabling the prevent access to properties of LAn and i rebooted..but it still doesnt the administrator of this pc and i cant prevent it in accessing the LAN properties :(
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Remove the taskbar icon, and access to Control Panel.

    Also set them up with Limited account
  9. apaullo

    apaullo TS Rookie Topic Starter Posts: 80

    i cant limit them to limited account..also i need Control panel to be accessible..only the LAN network need not be accessible..
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Click here --> How to Hide Control Panel Applets (Windows 95/98/Me/NT/2000/XP)

    Or as a policy restriction:
    To Hide Network control panel applet is configured at:
    On the Edit menu, Add Value name DisallowCpl, as a REG_DWORD data type. Set the data value to 1.
    On the Edit menu, Add Key name DisallowCpl. For each applet you wish to hide, add a REG_SZ value in the following format:
    Sequence# REG_SZ ncpa.cpl
  11. jobeard

    jobeard TS Ambassador Posts: 9,156   +598

    why not? There are relatively few programs that will not run on a limited user access(LUA) account.
  12. apaullo

    apaullo TS Rookie Topic Starter Posts: 80

    i already tried hiding the Network Connections..and it works fien but my superior is asking it is possible to just disable access on Network connections alone..

    and jobeard..we in the computers dept of our company already tried limiting thier account..but we recieved complaints from other offices saying they must have administrator we have no choice but to obey..:(
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    So the hiding applet works?
    If so, then other than the Group policy setting, the hiding sounds like the best choice.

    Be aware that this is not a file or folder (as mentioned earlier) and disabling this function is not ideal. ie The user will not be able to repair their network.
    I suppose that's what you want, so again hiding is the easiest option.

    By the way you are aware that under Limited account, that you can right click on any program and select run as Administrator (also using an Adimistrator password)

    Please note, all users are allowed access to network connections (as an Administrator) in basically all industries from process worker to government staff.
    It is strange to try to stop this on an Administor privlidged computer.
  14. jobeard

    jobeard TS Ambassador Posts: 9,156   +598

    This is always an emotional (and political) issue and the bottom line becomes who will maintain the systems,
    the workers, with no formal training or certification, or the I.T. department with trained staff
    and the knowledge to manage the systems in keeping with the company policies (both written and computer GPOs).
    If Joe-Nerd must have Admin rights, then he also gets
    to apply the updates, do the backups, and when it crashes -- get it running again.
    He can't have it both ways.

    Usually, there are only a few would-be nerds that think they need the keys to the
    kingdom and moving them to Power Users will suffice. Call a meeting and get them
    to try it out.

    btw: they will still be able to change the network :(
  15. apaullo

    apaullo TS Rookie Topic Starter Posts: 80

    kim..thats what our dept is trying to limit the access on normal users from the network connections....we are still on manual configuration of ip address and we have no way in stopping them from changing thier IP's..thus making conflict with other users...i think they will complain when we tried to give them limited accounts but diabling the access on network is ok..

    and jobeard..thats the problem...ther are so many joe-nerd in our company..and when the pc gets in trouble..we are the ones who must repair it..or if there are some who complains about not connected to the network we are the ones who must find a solution...

    we had a meeting and my assignment is look for ways to prevent the users from changing their assigned IP's
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    If you're using server environment and a domain (instead or WorkGroup computers)
    The user would not even be able to login without the domain Server running.
    And the IP could be assigned through each computer's mac address or name. Therefore not allowing them to change just about anything!
    ie if they did try to change the IP settings, the next login would put it right (let alone the fact that they would not be able to access the network or Internet anyway from changing their IP)

    Domain Servers with all settings/files including My Documents and also the login is by far you best choice. Too much info to put here though, on configuring one.
  17. jobeard

    jobeard TS Ambassador Posts: 9,156   +598

    obviously I've been there. Why in heck are they fussing with IPs?
    There's nothing to gain and everything to loose!
    hum; you don't need assigned IPs; with a Domain Controller (i assume you're running one), your LDAP or DC
    should be using DHCP for everything except servers.
    Even w/o an LDAP or DC, you can still use DHCP addresses!

    Anyone forcing a static will soon create an IP conflict and maybe halt the entire lan subnet -- goody --
    just advertise that Joey-Nerdnic took you all down because he couldn't leave the
    network alone. PEER PRESURE will do your job for you about the third time it occurs :)
  18. Stealth3si

    Stealth3si TS Member Posts: 33


    If you're using a post-Windows 2000 OS, then that could be the reason why it still doesn't work. In which case, have you tried enabling "Enable Windows 2000 Network Connections settings for Administrators," assuming you're an "admin?" I'm using WinXP myself and just tried those two steps w/o having to reboot and it worked like a charm. However, I haven't tested to see if that "restriction" is still applicable upon reboot. :)
  19. apaullo

    apaullo TS Rookie Topic Starter Posts: 80

    we are still using static IP's hehehe...and yes i still dont have any solution...there are about 600 working pc with different OS from 98, 2000, and XP..and we can only cater 255 ip there is a great possibility that they can change or add an IP..thus creating conflict...i have tweak manager with me but it doesnt seem to work..the prohibiting to access network properties tweak..:(
  20. You will never stop such people fiddling around unless you set up correct user groups and permissions. Until then, there is no solution to your problem. With all of those users running with root access you're asking for trouble and wasting your time trying to "hide" the network config from them. Even if you disable the network connections service they will still be able to restart it and/or reconfigure the network through the command line.
  21. Stealth3si

    Stealth3si TS Member Posts: 33

    Try this. Load up an RIS server or something similar and deploy one of those "key/mouse stroking monitoring programs" (i.e. UserMonitor) and discipline the ones that actually do the changing. Or you could threaten to fire them. :D
  22. apaullo

    apaullo TS Rookie Topic Starter Posts: 80

    heheh or they can fire me for not finding any solution..i told my boss hiding the Network Connections can be sufficient in preventing conflicts since our users are not that familiar with pc troubleshooting..i just hope it will be sufficient :p
  23. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I think it's the only option on an Administrator account.
    You've been asked to do the impossible, the only answer (as I have mentioned) is Server Domain and that's it.
  24. hiway

    hiway TS Rookie

    The Network Connections icon in the Control Panel represents a Shell folder, and the ncpa.cpl just launches the shell folder. One way to hide the Network Connections folder is to add the GUID {7007ACC7-3202-11D1-AAD2-00805FC1270E} to the Non enumerate list (NonEnum) in the registry.

    To do this:
    Start REGEDIT.EXE and navigate to:
    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ NonEnum


    HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ NonEnum

    Select NonEnum, and in the right-pane, create a REG_DWORD value named {7007ACC7-3202-11D1-AAD2-00805FC1270E} and set it's data to 1

    Close REGEDIT

    Tell us it worked or not.
  25. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Actually just inserting the hide switch is easier.

    But the original post member, has confirmed that he now is aware of the hide option, but is concerned it is not enough. He's right!
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...