Re: Require connecting systems to be a Domain Computers

From: Steven L Umbach (
Date: 06/10/05

  • Next message: matchstich: "ms02-039"
    Date: Fri, 10 Jun 2005 09:58:18 -0500

    If you have an ipsec require policy on the server and use the default
    kerberos computer authentication for the ipsec SA then the computer must be
    a domain member to connect to the server. There are a couple of things to
    keep in mind. In such case the server must not be a domain controller, the
    ipsec require policy will need to exempt all domain controllers with a rule
    that has a permit filter action for all traffic and the domain controllers
    listed in a filter by their static IP addresses, and any domain client that
    needs to connect to that server will need to be ipsec capable and be using
    at least the ipsec respond/client policy. Ipsec policies should be
    thoroughly tested out on preferably a test domain or as least a test OU
    before implementing. You can use AH, ESP, or null encryption ESP if you do
    not the overhead of encryption. The links below may help. --- Steve;en-us;Q254949 ---
    applies to Windows 2003 also

    "Kevin3DR" <> wrote in message
    > Does anyone know how to prohibit computers from connecting to a
    > Windows 2003 Server share unless the system they are connecting from
    > is a member of the domain.
    > I a few "power users" and developers who keep removing their systems
    > from the domain, and just connecting to the server by browsing and
    > using their domain credentials. These users need to be able to add
    > computers to the domain, as they reinstall Windows often to test stuff
    > on a clean machines.
    > If I don't allow them to connect to the file server unless their
    > system is a part of the domain, that will solve the problem.
    > I feel that this should be such an obvious thing to do, but I have yet
    > to see any information on how to do this.
    > Kevin

  • Next message: matchstich: "ms02-039"