Our company has many offices spread throughout the world, with each office having its own IT support staff. Our CTO sent an email about one of the offices getting a virus through IM. He wanted to make sure that every office had a way to block IM because all the offices are on the same WAN, which means they can infect each other. For various reasons, not all the offices wanted to use their firewalls to block IM. Because all the offices use Active Directory (AD), I suggested they use Group Policy to stop their users from running IM. Blocking IM for everyone or for just one person is easy.
If you want to stop everyone from using IM, you can set a Group Policy Object (GPO) for the entire domain. Follow these steps:
- Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
- Right-click the organizational unit (OU) for which you want to block IM, and choose Properties.
- Click the GPO you want to apply.
- Click Edit.
- In Group Policy Editor (GPE), expand User Configuration, Administrative Templates, System.
- In the right pane, double-click the Don't run specified Windows applications option.
- Click Enabled, then click Show.
- Click Add and type the name of restricted IM program (e.g., msnmsgr.exe)
- Click OK three times.
- Close GPE.
If you want to stop an individual user from using IM, you can set a GPO for one specific machine. Follow these steps:
- Go to the user's PC.
- Click Start, then click Run.
- Type gpedit.msc and click OK.
- Follow steps 5 through 10 in the steps just given.
- Reboot the computer.
Note that if a domain-level GPO is defined, it might override this local GPO.
The steps I've outlined work well for most users. However, if you have extremely savvy users, they can still run the program by renaming the blocked executable or by executing it from a command prompt.