Settings to Allow Computers that are Members of a Domain to Join a Homegroup
Applies To: Windows 7
HomeGroup is a new feature in Windows 7 that enables an easy setup for sharing files and printers on a home network. It also enables users to easily access media through Windows Media Player, Windows Media Center, and compatible media devices in the home. For example, a user can take home a computer that is a member of a domain at work, join an existing homegroup, and gain access to printers and shared files on computers in the home.
Important
If users take home a computer that is a member of a domain at work, and they join the computer to a homegroup, they cannot share any content from the work computer with the computers in the homegroup. This security feature prevents inadvertently sharing proprietary information with other homegroup users.
Why allow a computer that is a member of a domain to join a homegroup?
Joining a computer that is a member of a domain at work to a homegroup on a home network enables work-at-home scenarios which have been difficult in the past.
Historically, if users want to work at home, they might use a removable device to transfer files and media between their home and work computers. Or they might send sensitive documents to their public e-mail accounts, and then open and print them on a computer that is connected to their home printer. There are security mitigations for these practices, and they create difficulties for users who want to work at home.
HomeGroup in Windows 7 addresses these issues. By joining a work computer to a homegroup, users do not have to compromise security or use nonstandard means to work at home.
Note
Users cannot create a homegroup from their work computer, but they can join a homegroup that already exists.
How can a computer that is a member of a domain participate in a homegroup?
One of the easiest ways for users to work successfully at home is to grant them administrative credentials. As an administrator, the user can change settings and permissions, and install printer drivers. However, the majority of enterprises need to enforce additional security, and they cannot enable their users to run their computers with administrative credentials.
To join a homegroup, a user must set their network location to Home. To allow users without administrative privileges to join a homegroup, in Windows 7, the default is changed so that these users can change the network locations on a computer. In previous versions of Windows, this was not possible. A new group policy, Require domain users to elevate when setting a network’s location, is added to control this behavior. Users cannot change settings for their domain network. For example, a user cannot apply the Home network location to their Domain network. The actual work environment remains unchanged from Windows Vista.
Note
Administrators can still change the network locations. They can also join a homegroup.
With this capability, a user can take home a computer that is a member of the domain at work, join it to the home network, set the network location to Home, and detect and join a homegroup. This scenario enables the computer to discover and automatically set up shared printers in the home (if they have drivers with Windows logos). The computer can also discover and use media from other computers that are members of the homegroup.
What settings are required for a computer that is a member of a domain to participate in a homegroup?
Administrators need to set the following settings to enable the user to join a computer that is a member of a domain at work to a workgroup:
Firewall settings
IPsec settings
Group Policy settings
Firewall settings
For a computer to participate in a homegroup, certain firewall ports must be open. If you use Windows Firewall, the required ports are opened by default when a user selects the Home network location. If a non-Microsoft firewall is deployed or customized settings are used, all of the ports in the following list must be opened for the user’s home network:
The following ports are opened by selecting the Home network location:
Network discovery (includes WSD, uPNP, SSDP):
UDP 5355, UDP 138, UDP 137, UDP 3702, UDP 1900, TCP 2869, TCP 5357, TCP 5358, UDP 3702
Remote Assistance:
UDP 3540, UDP 1900, TCP 2869
Note
These ports are part of the default “private” profile, and they have no interaction with HomeGroup. They are listed here for completeness only.
When a computer that is a member of a domain joins a homegroup, the HomeGroup feature opens these additional ports:
Peer–to-Peer Grouping:
TCP 3587
Peer Name Resolution Protocol (PNRP):
UDP 3540
IPsec settings
For proper HomeGroup functionality, organizations with IPsec deployments should use domain-based Group Policy settings to deliver IPsec policies. You should include a rule that allows hosts without IPsec from the 192.168.x.x range to contact the computer on TCP 3587 (Peer-to-Peer Grouping) and UDP 3540 (PNRP).
Depending on the specifics of the employees’ home network configuration (specifically, if addresses are delivered through DHCP), IT administrators might need to add additional addresses to the allowed list for these ports. If this rule is not deployed, the work computer will cause problems for other computers that attempt to join the homegroup. Specifically, when a new computer attempts to join a homegroup that is advertised by a computer from work, the connection will time out.
Group Policy settings
There are three Group Policy settings in the Group Policy Management Console that IT administrators can use to control computers that are members of a domain at work and are joining a homegroup.
The full path of this node in the Group Policy Management Console is:
Computer Configuration\Administrative Templates\Network\Network Connections
Available policy settings:
| Name | Explanation | Requirements |
|---|---|---|
Require domain users to elevate when setting a network’s location |
This policy setting allows you to control the ability for standard domain users to change their network location. If you enable this policy setting, users must elevate when changing their network location. Administrative privileges are required to do so. (This is the same behavior as in Windows Vista.) If you disable or do not configure (default setting) this policy setting, standard domain users can change their network location. |
At least Windows 7 or Windows Server 2008 R2 |
The full path of this node in the Group Policy Management Console is:
Computer Configuration\Administrative Templates\Windows Components\HomeGroup
Available policy settings:
| Name | Explanation | Requirements |
|---|---|---|
Prevent the computer from joining a homegroup |
This policy setting allows you to control the ability of users to join a homegroup. If you enable this policy setting, users cannot detect or join a homegroup. If you disable or do not configure (default setting) this policy setting, users can detect and join a homegroup. |
At least Windows 7 or Windows Server 2008 R2 |
The full path of this node in the Group Policy Management Console is:
Computer Configuration\Administrative Templates\Printers
Available policy settings:
| Name | Explanation | Requirements |
|---|---|---|
Point and Print Restrictions |
This policy setting allows you to control the installation of printer drivers from the homegroup. If you enable this policy setting, computers that are members of a homegroup can install only printer drivers from a remote computer in the same homegroup if the driver is already installed on the local computer. If you disable or do not configure (default setting) this policy setting, computers that are members of a homegroup will automatically discover and install printer drivers from other computers in the same homegroup. |
At least Windows Vista |