Alex Ruben
How To Restrict VPN Access for Domain Users Using Group Policy on Windows Server 2022 and 2019
Introduction
So, it turns out stopping people from connecting via VPN on a domain network isn’t super straightforward, but it’s doable. Basically, you set up a GPO (Group Policy Object) that restricts VPN creation or use on their PCs. If you’re worried about unapproved VPNs or just want tighter control on who’s accessing what, these steps really help. Just be aware that on some setups, these policies might need a reboot or a gpupdate /force to kick in properly. And, because Windows loves to throw in some surprises, testing this on a small group first is a good move.
Prerequisites
Before diving into the juicy stuff, make sure you’ve got:
- Admin rights on your Windows Server 2019 or 2022 machine.
- Group Policy Management Console (GPMC) installed — usually part of the Remote Server Administration Tools.
- A decent understanding of your Active Directory structure, like where your OUs are.
Step 1: Open the Group Policy Management Console
First step is finding the GPMC. Head over to Server Manager, then click on Tools, and pick Group Policy Management. If that’s not there, you might need to install the RSAT tools. Once open, you’ll see your domain listed.
Step 2: Create a New GPO
Navigate your domain tree on the left (like yourdomain.local), right-click the OU (or the domain itself if you want a blanket rule), then choose Create a GPO in this domain, and link it here. Name it something like Block VPN Access. Sounds obvious, but that keeps things clear later. On some setups, this might fail the first time — just restart GPMC or log out and back in.
Step 3: Edit the GPO to Add VPN Restrictions
Right-click your new GPO and choose Edit. It will open up the Group Policy Management Editor. Now, you want to go down this path in the left pane:
User Configuration → Policies → Administrative Templates → Network → Network Connections
Because of course, Windows has to make it a little tricky to block VPNs. Some related policies might be under different nodes depending on your version or updates, so keep an eye out.
Step 4: Enable Policies to Stop VPN Usage
Here’s where the magic happens. Enable these policies:
-
Double-click Prohibit TCP/IP advanced configuration.
Set it to Enabled. This stops users from editing network configs that could include VPN settings on some setups. -
Double-click Prohibit access to the new connection wizard.
Enable this one too. Might not block all VPNs, but it prevents starting new connections via the wizard. -
Double-click Prohibit access to remote access preferences in the advanced menu.
Enable it. -
And finally, Prohibit access to properties of LAN connections.
Turn that on.
Why it helps: these policies basically make it harder for users to even see VPN options or tweak their network settings. That’s the goal. When might it be useful? Pretty much whenever users are trying to set up their own VPNs against company policy or when you’re trying to tighten security.
What you should expect? Fewer VPN pop-ups, less chance of folks accidentally or intentionally connecting to outside VPNs. And again, a reboot or a gpupdate /force command on client machines can speed things up.
Step 5: Push Out the Changes
Once saved, these policies will apply after some time or on reboot. If you want to speed things up on client computers, open Command Prompt or PowerShell and run:
gpupdate /force
That forces policies to refresh immediately. Beware, on some machines, it might need a log off and back in or a reboot to fully enforce the restrictions.
Extra Tips & Common Snags
Some tips to make this smoother:
- Test on a small set of users or computers first — nothing’s more frustrating than breaking things in production.
- Check for other GPOs that might be conflicting or allowing VPNs through local policies or security settings.
- Keep users in the loop — sudden restrictions without warning can cause confusion.
Conclusion
Not sure why it works, but these settings block most straightforward VPN setups, making network access a bit more secure. It’s not perfect, but it’s a good start. Just remember that tech is always a step ahead — new VPN apps or tricks might slip through, so stay vigilant.
Frequently Asked Questions
What exactly is a GPO?
It’s just a collection of rules you can push to user or computer accounts in Active Directory, kinda like a remote control for settings.
Can this be limited to certain users?
Absolutely. Just link the GPO to an OU with only the users or computers you want to restrict. Easy peasy.
I already have VPN stuff installed. Will this stop them?
It probably won’t delete the software, but it should stop users from connecting or configuring it — at least that’s the theory.