We have a windows (7 pro) workstation LAN, managed via Group Policy. Lots of our users run Dropbox. Security concerns aside, one of our netadmins says that our routers/firewalls are handling and blocking tons of UDP broadcast traffic, and they want it to stop. We tracked the traffic to Dropbox's LAN Sync functionality.
Most users on our network don't use LAN Sync (they only have one workstation on the network), but almost everyone with Dropbox, it seems, has it turned on.
Is there a way to centrally disable LAN Sync for Dropbox, for all Windows workstations in a GPO-managed LAN?
The solution doesn't have to be nice and state-based like a true GPO; it can be as simple as a scheduled task that runs something on all workstations daily to disable LAN Sync. Heck, the solution doesn't even have to be a GPO--we can use PS_EXEC to push programs to workstations from the domain controllers. I am just hoping to avoid manually reconfiguring all users' Dropbox applications. Users are local admins, so if they really want to turn LAN Sync on, they can.
Aside: there is literally zero chance of getting management to agree to ban/remove either Dropbox or users' admin privileges.
What I've Tried:
Initially, I figured there would be a GPO-manageable registry key for it. No dice, it turns out; Dropbox keeps all of its configs in a SQLite file.
Then I tried using this script to modify the SQLite file, but newer versions of Dropbox don't seem to have an externally-modifiable config.
One alternative would be to create a rule in Widows Firewall that blocks outbound traffic to the port ranges (or even from the actual program creating the traffic) you are seeing in group policy. That would take the load off the network devices.
Create an Outbound Port Rule on Windows 7, Windows Vista, Windows Server 2008 or Windows Server 2008 R2
This may/should also result in DropBox itself disabling LAN Sync (based on the DropBox LAN Sync help page):
Create a GPO to block the dropbox.exe file from opening.
User Configuration > Policies > Admin Templates > System > Policy > Don't run specified Windows applications.
We use this to also block a lot of the instant messaging apps for a particular department.