New Windows 8 Group Policy – Prohibit connection to non-domain networks when connected to domain authenticated network

“Prohibit connection to non-domain networks when connected to domain authenticated network” is a new setting available in Windows 8 Group Policy. In the Windows 8 GPMC, the policy is located in Computer Configuration > Policies > Administrative Templates > Network > Windows Connection Manager > Prohibit connection to non-domain networks when connected to domain authenticated network.

I was actually able to get the policy to work on a laptop with a hard-wired connection and a WiFi connection. First, I authenticated into AD (over the hard-wired connection) and clicked on the Network icon in the Notification Area.

After clicking the Network icon, I was presented with a list of wireless networks available to me. This particular wireless network is a DLink mobile hotspot that I use when I travel for hotels that only offer Ethernet and it was not connected to an Internet connection (and therefore couldn’t get back to my AD). The hotspot was configured as a DHCP server and was giving out IP addresses in a private range that is a completely different subnet than my home network. In these screenshots, it is configured with WPA2, but I tried it on WPA and WEP also with the same results.

Click on the wireless network name and I’m offered a checkbox (which was automatically checked) and a Connect button.

Click the Connect button and I get: Can’t connect to this network – Your network administrator doesn’t allow simultaneous connections to your workplace network and another network.

In this scenario, it looks like I’m falling into: “Manual connection attempts. When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection is blocked.” I’ll have to dig out some hardware (namely a USB Ethernet adapter and another wifi hotspot) to play around with this policy further on physical hardware since doing it in a VM seems to be problematic.

Since this is still a beta, the documentation is a bit lacking. That said, I’m hoping the documentation that will be made available in the future is a little better than the Help box in the GPMC. This is potentially a pretty cool feature to have if you have mobile users that have 3G/4G cards or adapters that have to worry about data caps or you’re in an environment where there are tons of WiFi signals.

Kyle Beckman

Kyle Beckman

Kyle is a Systems Administrator with 15+ years of experience. He currently works in Higher Education supporting everything from smartphones to desktop PC's to Hyper-V Failover Clusters. (If it has a IP address, he probably supports it!) He has also worked in Small Business IT consulting supporting a wide variety of businesses and non-profit organizations.

Kyle is also the Vice President of the Atlanta Windows Infrastructure and Virtualization User Group (WINVUG).You can find additional articles he's written on
Kyle Beckman

1 Comment

Add a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *