Our company has many offices spread throughout the world, with each office
having its own IT support staff. Our CTO sent an email about one of the offices
getting a virus through IM. He wanted to make sure that every office had a way
to block IM because all the offices are on the same WAN, which means they can
infect each other. For various reasons, not all the offices wanted to use their
firewalls to block IM. Because all the offices use Active Directory (AD), I
suggested they use Group Policy to stop their users from running IM. Blocking
IM for everyone or for just one person is easy.
If you want to stop everyone from using IM, you can set a Group Policy Object (GPO) for the entire domain. Follow these steps:
- Open the Microsoft Management Console (MMC) Active Directory Users and Computers
snap-in.
- Right-click the organizational unit (OU) for which you want to block IM,
and choose Properties.
- Click the GPO you want to apply.
- Click Edit.
- In Group Policy Editor (GPE), expand User Configuration, Administrative
Templates, System.
- In the right pane, double-click the Don't run specified Windows applications
option.
- Click Enabled, then click Show.
- Click Add and type the name of restricted IM program (e.g., msnmsgr.exe)
- Click OK three times.
- Close GPE.
If you want to stop an individual user from using IM, you can set a GPO for
one specific machine. Follow these steps:
- Go to the user's PC.
- Click Start, then click Run.
- Type gpedit.msc and click OK.
- Follow steps 5 through 10 in the steps just given.
- Reboot the computer.
Note that if a domain-level GPO is defined, it might override this local GPO.
The steps I've outlined work well for most users. However, if you have extremely
savvy users, they can still run the program by renaming the blocked executable
or by executing it from a command prompt.
—Stefan Fagerholm
End of Article
)
Register
BSCGAL April 06, 2006 (Article Rating: