Re: Require connecting systems to be a Domain Computers

From: Kevin3DR (
Date: 06/11/05

Date: Fri, 10 Jun 2005 18:18:20 -0500

Yeah, it looks like that will work. Thank you again for your

I was hoping that it would be a little easier, like a local policy or
something in which I include the group Domain Computers.

Oh well.

On Fri, 10 Jun 2005 09:58:18 -0500, "Steven L Umbach"
<> wrote:

>If you have an ipsec require policy on the server and use the default
>kerberos computer authentication for the ipsec SA then the computer must be
>a domain member to connect to the server. There are a couple of things to
>keep in mind. In such case the server must not be a domain controller, the
>ipsec require policy will need to exempt all domain controllers with a rule
>that has a permit filter action for all traffic and the domain controllers
>listed in a filter by their static IP addresses, and any domain client that
>needs to connect to that server will need to be ipsec capable and be using
>at least the ipsec respond/client policy. Ipsec policies should be
>thoroughly tested out on preferably a test domain or as least a test OU
>before implementing. You can use AH, ESP, or null encryption ESP if you do
>not the overhead of encryption. The links below may help. --- Steve
>;en-us;Q254949 ---
>applies to Windows 2003 also
>"Kevin3DR" <> wrote in message
>> Does anyone know how to prohibit computers from connecting to a
>> Windows 2003 Server share unless the system they are connecting from
>> is a member of the domain.
>> I a few "power users" and developers who keep removing their systems
>> from the domain, and just connecting to the server by browsing and
>> using their domain credentials. These users need to be able to add
>> computers to the domain, as they reinstall Windows often to test stuff
>> on a clean machines.
>> If I don't allow them to connect to the file server unless their
>> system is a part of the domain, that will solve the problem.
>> I feel that this should be such an obvious thing to do, but I have yet
>> to see any information on how to do this.
>> Kevin

Relevant Pages

  • Re: Isolate systems
    ... You also may want to download the " Securing Windows 2000 Server Security ... to use ipsec "filtering" policies to secure domain controllers and other ... >> filtering policy on your computers which is a policy that uses rules with ...
  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
  • Re: domain users force only local server access
    ... You can restrict computers using ipsec policies. ... complex topic and domain controllers need to be exempt from any policy to ...
  • Re: Assign Domain Security Policy/Manage remote computer
    ... as it's primary dns server. ... Run netdiag on the client computers to see ... As far as ipsec policy. ...
  • Re: GPO causing client security logs to fill?
    ... What bothers me is that if this policy, ... into from other computers. ... When I view the event logs through server management the ... All event logs should be set to a decent size (about 20MB at ...