Main Area and Open Discussion > General Software Discussion

Create a profiles for users on a Workgroup and disable Homegroup options & wifi

(1/3) > >>

questorfla:
Sorry this is long but i have never seen anything like this before.

The solution would be pretty simple on a Domain but not so easy on a Work-group.  The situation is this:

It is an office environment where 20 users all connect to the work-group with laptops that run Windows 7, Windows 8 and windows 8.1.    I need a way to configure a network profile that, when chosen,  would connect each system to prefigured settings that would have their static IP, sub-net, gateway and DNS  for their IPV4 on the Hardwired connections locked in.  In addition I need to completely disable all WiFi capability ( reason further down )   This would be akin to a WORK profile on a Domain.  Having this would allow for them to change to a Home Profile when leaving and open up their WiFi for use outside the office

As the 2nd part, I would like a simple (Hah!) way to disable all HOME-GROUP options and capability and if possible permanently remove all capability for creating or joining one.  These are all office systems which the users DO take home but they do not belong to them so disabling Home-groups should not be an issue.

WHY I want to do this: during a Recent network problems, I found today that one person had resorted to using her laptop's WiFi to connect to her I-phone Hot-spot to get on the Internet.    As it was explained to me, she had also allowed some of her friends to also use her hot-spot.  I do not have all the details as they do not seem to be eager to discuss the issue but one of the people she gave permission to is about 150 ft away from, her desk.  I have seen (and used) the WiFi hot-spots that are built into a smartphone and I have yet to find one that would carry over 15 ft.  Much less 100 ft!

After investigating I found that all of the users who did manage to connect are on the same network switch.  That switch connects over 20 people and printers to a line coming from the Office router.  In this case, the input to the router had been cut so there was no Internet but apparently the connection through the Switch enabled this one person to in some way use the switch in a "back-flow" manner with her Iphone providing Input to allow these other people 100+feet away to be able to piggy-back onto her I-phone.  Most switches are now "smart" such that any port can be the "input" so the switch just took what it was given and distributed it

To make matters worse, when I started shutting them all down to try to reconnect the router into the network, several of the systems popped up messages saying that it I rebooted it would break their connection to the >>HOME-GROUP<< they were in!

This <<Home-group>> turned out to belong to yet another user who did not know she was connected to anyone through anything.  Much less providing a Full Home-group connection to share ...??? i don't even know what.  That mystery I am still trying to resolve.  This same procedure also happened on two others systems and they were connected to even more Home-groups owned by people who also did not know they were connected to anyone by anything.  No one remembers anything about any kind of questions about permissions or passwords

I have never seen this type of behavior before but I must find a way to put an end to it!

My Preference would be deleting all Home-Group capability on all systems!  No one uses it and most people honestly did not even know what it was.  But the possibility for serious problems provided by people being interconnected "in the  background" as it were, looks to me like an open invitation to all kinds of bad things.  

Since this is a Work-group and not a domain, I have no control over what, if any, security software each person uses or doesn't use.  Viruses and Malware would have a field day in a setup like that where many systems are already on a "hidden in plain site" sub-group which neither the users nor the owners of had any idea they were connected to.  They have no use for ir but Something! obviously did.

It could have been this way for months  When they go home, most just shut down Windows and leave.  I cannot believe it has been like this for very long or I would have seen it at least once.  I found a total of 4 separate systems that were broadcasting invitations to join their Home-group.  Yet I have never seen an "invitation" to join anything and no one else says they have either.  

None of these people are very Tech-Savvy and none of them even knew what I meant or the risks involved.  None of them even knew (or would admit to) having said YES to any kind of connection but I have seen what a Home-group Invite looks like and it is innocuous enough that i doubt anyone would say NO if invited even though they have NO idea what it is.

I have found a multitude of methods for disabling various parts of the Home-group thing but no single solution.  Some of them involve changes in the Registry that involve elevating the permissions to the SHELL group so that a change can be made at all.  It is EASY to turn off WORK-groups so why is it so hard to disable HOME-groups?

Sorry this was so long, I should have made it two questions but I have been at this all day and I have a bad feeling that if i don't find a solution soon, the problems are going to get worse.  I have run multiple Malware and AV scans and actually did turn up several PUPs on one system but those are not the kind of thing I would send up a lot of red-flags over although they should not have ANY.  Malwarebytes found and removed those very easily.  If they are all back again tomorrow  THEN I get worried!

In closing.  The first and foremost I need is the Profile utility  I have found a few on Source-Forge and I a trying to see if any can be configured from what I need.

I could do part of it with a script (disable all WiFi) and that would leave only the hard-wired NIC to deal with.  Is there a net-use command to disable WiFi>?  and re-enable it afterward?

Please excuse typos and other.  It is late and I am totally distraught.


Thanks for anyone who took the time to read this.  

Deozaan:
A computer will automatically try to join a homegroup during the installation of the OS (at least on Windows 7) if it detects one on the network.

If you want a Windows 7 computer to leave a homegroup it is a part of, follow these instructions:

1. Press the Windows button on the keyboard (or open the start menu) and type "HomeGroup" (without quotes) and press Enter.



2. You will see a window that looks like this:



3. Click the "Leave the homegroup..." button. You'll get a popup asking you to confirm, at which point the computer will be removed from ALL homegroups it may be connected to.




And finally, you may want to click on the "Change advanced sharing settings..." on the HomeGroup screen. The bottom section of the advanced settings is related to HomeGroup connections. Changing that to require accounts and passwords rather than HomeGroups may solve the problem of these computers mysteriously re-joining the Homegroups again.

Stoic Joker:
I see only two ways to do this, with a domain, and the wrong way.

You will waste an excruciating amount of time trying to duct tape 3rd party solutions together in an attempt to gain control. A domain based solution OTOH would be comparably cheap if you look at the long term cost savings in just man hours of administrative overhead alone.

Yes, I'm admittedly biased ... But it's based on experience. ;)

40hz:
+1 with Stoic . (We have similar jobs so we have similar biases. ;D) The only good (i.e. effective and reliable) way is using a domain and group policies. Workgroups are bad ju-ju and not worth struggling with.

Have you looked into using something like Windows Server 2012 - either Foundation or Essentials? Dell and some other suppliers can set you up with a preconfigured entry-level server for under a grand. This wouldn't be "enterprise by any stretch. But for 20 or so users it would solve 98% of all your security issues and give you some attached storage space as well.

Something to think about. :Thmbsup:

4wd:
To add to the answer given by Deo for your second question:

After leaving the HomeGroup you can also disable the facility by disabling the services required for it:

HomeGroupListener
HomeGroupProvider

As described here: How to Disable “HomeGroup” Feature in Windows 7?

This can be done via command line:

sc stop HomeGroupListener
sc config HomeGroupListener start=disabled
sc stop HomeGroupProvider
sc config HomeGroupProvider start=disabled

Also works in Windows 8/8.1

Navigation

[0] Message Index

[#] Next page