Ray - Not sure yet but I've found this paper which seems to explain. About isolating a domain using ipsec and gpos. http://tinyurl.com/2ln2ck There's an Encryption Isolation Group Policy in the appendix that seems suitable combined with enforcing the ipsec service as mathieu suggested. Cheers Neil > This is a very interesting topic. > > Guys, which IP Security Policy should be active within the GPO and what > changes should be made? > > Cheers > > Ray > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On > Behalf Of Neil Berry > Sent: 25 January 2007 19:49 > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Disabling Computer Accounts > > Thanks Mathieu > > Good idea - that would make them pretty much unusable ! > Just what I need > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]On > Behalf Of Mathieu CHATEAU > Sent: 25 January 2007 19:04 > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Disabling Computer Accounts > > > hello, > > on the GPO to block, add IPSEC so to deny any non encrypted traffic > (mandatory to encrypt). > > As only these stations uses IPSEC, they won't be able to connect to others > workstations neither servers. > > The only solution for those bad boys is to stop the ipsec windows service, > so you will enforce it started through the same GPO > > Regards, > Mathieu CHATEAU > http://lordoftheping.blogspot.com > > > ----- Original Message ----- > From: <neil@xxxxxxxxxxxxxxxx> > To: <gptalk@xxxxxxxxxxxxx> > Sent: Thursday, January 25, 2007 5:03 PM > Subject: [gptalk] Disabling Computer Accounts > > >> Hi all, >> >> Does anyone have any ideas on how best to achieve the following. >> >> I need to make a computer that is intially built into the domain - >> virtually unusable until it is placed in the correct OU. >> >> I had thought of applying a very restrictive GPO to the default >> computers >> OU which made it unusable but not quite sure which settings to apply and >> if there are any issues with doing this. >> >> It is bascially to stop people bypassing build procedures and policies >> and >> not putting the computer into the correct OU. >> >> Thanks for any thoughts :) >> >> Neil >> *********************** >> You can unsubscribe from gptalk by sending email to >> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR >> by >> logging into the freelists.org Web interface. Archives for the list are >> available at //www.freelists.org/archives/gptalk/ >> ************************ >> > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ > > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ > *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************