Re: Require connecting systems to be a Domain Computers
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: Fri, 10 Jun 2005 09:58:18 -0500
If you have an ipsec require policy on the server and use the default
kerberos computer authentication for the ipsec SA then the computer must be
a domain member to connect to the server. There are a couple of things to
keep in mind. In such case the server must not be a domain controller, the
ipsec require policy will need to exempt all domain controllers with a rule
that has a permit filter action for all traffic and the domain controllers
listed in a filter by their static IP addresses, and any domain client that
needs to connect to that server will need to be ipsec capable and be using
at least the ipsec respond/client policy. Ipsec policies should be
thoroughly tested out on preferably a test domain or as least a test OU
before implementing. You can use AH, ESP, or null encryption ESP if you do
not the overhead of encryption. The links below may help. --- Steve
"Kevin3DR" <email@example.com> wrote in message
> Does anyone know how to prohibit computers from connecting to a
> Windows 2003 Server share unless the system they are connecting from
> is a member of the domain.
> I a few "power users" and developers who keep removing their systems
> from the domain, and just connecting to the server by browsing and
> using their domain credentials. These users need to be able to add
> computers to the domain, as they reinstall Windows often to test stuff
> on a clean machines.
> If I don't allow them to connect to the file server unless their
> system is a part of the domain, that will solve the problem.
> I feel that this should be such an obvious thing to do, but I have yet
> to see any information on how to do this.