How to filter off-site Windows devices with DNS?


Issue: You want to filter Windows Devices when they are offsite

Environment: Windows with Active Directory

Solution:  To perform offsite filtering for Windows Devices there are 2 steps that need to be taken. The first step is get the script copied over to a location that students can't delete it from. The second step is we will be creating a Group Policy object to monitor for a network change event and then have the script execute based upon that.

** Note that it is recommended to disable IPv6 on the devices themselves for when they go offsite - please see this article from Microsoft on howto achieve this: **

Part 1: Getting the script copied over:

  1. Download the applicable attached script and edit it to replace the first IP address with your internal DNS servers IP.
  2. Rename the saved script to setdns.bat
  3. Move the script to a shared folder from your server
  4. Open up "Group Policy Management"
  5. Create a new GPO object
  6. Please name this "Copy Securly File"
  7. Right click the newly created GPO and then click "Edit"
  8.  Please goto Computer Configuration > Preferences > Windows Settings > Files , right click and goto "New" and then "file"
  9. On the "New File Properties Window" please uncheck "Archive" and check the hidden box. Please click the "..." button for Source File(s) and navigate to the downloaded file.
  10. For Destination file: please input a location that students would not have access to such as C:\windows\setdns.bat , then click on "Apply" and then "OK"

 Part 2: Script actions

  1. Open up "Group Policy Management"
  2. Create a new GPO object
  3. Name this policy "Securly DNS actions"
  4. Right click the newly created GPO and select "edit"
  5. Drill down to User Configuration > Preferences > Control Panel Settings > Scheduled Tasks and right click "Scheduled Tasks" and goto New > Scheduled Task (at least Windows 7)

  6. In the Name area please enter "Securly DNS"
  7. Under "Security Options" click the "Change User or Group" button
  8. In the window that popped up please type in "System" and click the "check names" box then click OK
  9. Please also check the "Run with highest privileges" box.
  10. The completed General Tab should look like the below:
  11. Click on the "Triggers" tab and then click the "New" button
  12. For the "Begin the task" drop down, please select "on an event"
  13. Change:
    Log to: "Microsoft-Windows-NetworkProfile/Operational"
    Source to: "Microsoft-Windows-NetworkProfile"
    Event ID to: 10000
    Check the "stop task if it runs longer than to: 30 minutes
    Check the Activate box
    Check the Enabled box
    Click the OK box
  14. Click on the "Actions" tab and select "New"

  15. For the "Program/Script" area please enter the path chosen in Part 1: ex:
    then click "ok" to save the changes
  16. Please click "apply" to save all of the settings
Have more questions? Submit a request