Computers in My Network Places

My boss made a request that I am not sure is possible.

We have a Windows 2003 R2 domain with four sites in Active Directory. The
site links are setup properly and AD replication seems to be working pretty
well. Each site has about 40 Windows XP professional computers, one domain
controller and one file server.

Every domain controller in each site has DNS and WINS installed. We have a
legacy application that requires WINS.

When a user opens My Network Places --- Entire Network --- Microsoft Windows
Network --- (Our Domain Name), all computers from all 4 sites are displayed.
My boss want users from Site A to see only the workstations from Site A, the
same would also be true for site B, C and D.

Users should not be able to view computers from different sites on the
Network Neighborhood but if they know the name of a computer in a different
site they should be able to go to start, run and map to the computer share by
\\computer name\share.

I am not sure if there is a registry setting or GPO that allows this type of
behavior. I have found information on how to hide one computer by changing a
value in a registry key but if I do that nobody on the site can see the
machine either.

I do agree that this is not the best way to secure or prevent a security
threat but since the request is coming from upper management we have to take
care of it.

Any help would help would be greatly
appreciated
--
Jean Marcelo MCSE & CCNA

The first thing to realize is that this has nothing to do with AD or
DNS. The browse list is built by the computer browser service which uses
Netbios names.

The browser service was developed for NT. Initially it only worked on a
LAN, but it was extended to work on a LAN by using Netbios over TCP/IP and
WINS. So the reason that it works in your WAN is that WINS allows the
browsers to see each other across the WAN links and build a network-wide
browse list.

The troubleshooting guides for the browser service are all directed to
telling you how you can enable browsing across a LAN rather than how to
prevent it.

Each site would only see its own browse list if your WINS servers did
not replicate, but that would probably kill the app which relies on WINS.


"Jean Marcelo" <(E-Mail Removed)> wrote in message
news:0FB27137-75B5-4DFF-8CA9-(E-Mail Removed)...
> My boss made a request that I am not sure is possible.
>
> We have a Windows 2003 R2 domain with four sites in Active Directory. The
> site links are setup properly and AD replication seems to be working
> pretty
> well. Each site has about 40 Windows XP professional computers, one domain
> controller and one file server.
>
> Every domain controller in each site has DNS and WINS installed. We have a
> legacy application that requires WINS.
>
> When a user opens My Network Places --- Entire Network --- Microsoft
> Windows
> Network --- (Our Domain Name), all computers from all 4 sites are
> displayed.
> My boss want users from Site A to see only the workstations from Site A,
> the
> same would also be true for site B, C and D.
>
> Users should not be able to view computers from different sites on the
> Network Neighborhood but if they know the name of a computer in a
> different
> site they should be able to go to start, run and map to the computer share
> by
> \\computer name\share.
>
> I am not sure if there is a registry setting or GPO that allows this type
> of
> behavior. I have found information on how to hide one computer by changing
> a
> value in a registry key but if I do that nobody on the site can see the
> machine either.
>
> I do agree that this is not the best way to secure or prevent a security
> threat but since the request is coming from upper management we have to
> take
> care of it.
>
> Any help would help would be greatly
> appreciated
> --
> Jean Marcelo MCSE & CCNA
>
>