Re: Require connecting systems to be a Domain Computers

From: Kevin3DR (dont.spam_at_me.com)
Date: 06/11/05


Date: Fri, 10 Jun 2005 18:18:20 -0500

Yeah, it looks like that will work. Thank you again for your
assistance.

I was hoping that it would be a little easier, like a local policy or
something in which I include the group Domain Computers.

Oh well.

On Fri, 10 Jun 2005 09:58:18 -0500, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>If you have an ipsec require policy on the server and use the default
>kerberos computer authentication for the ipsec SA then the computer must be
>a domain member to connect to the server. There are a couple of things to
>keep in mind. In such case the server must not be a domain controller, the
>ipsec require policy will need to exempt all domain controllers with a rule
>that has a permit filter action for all traffic and the domain controllers
>listed in a filter by their static IP addresses, and any domain client that
>needs to connect to that server will need to be ipsec capable and be using
>at least the ipsec respond/client policy. Ipsec policies should be
>thoroughly tested out on preferably a test domain or as least a test OU
>before implementing. You can use AH, ESP, or null encryption ESP if you do
>not the overhead of encryption. The links below may help. --- Steve
>
>http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 ---
>applies to Windows 2003 also
>
>"Kevin3DR" <dont.spam@me.com> wrote in message
>news:un7ja1hqsj54rvpnndfr1v1hjijo1e3o4o@4ax.com...
>> Does anyone know how to prohibit computers from connecting to a
>> Windows 2003 Server share unless the system they are connecting from
>> is a member of the domain.
>>
>> I a few "power users" and developers who keep removing their systems
>> from the domain, and just connecting to the server by browsing and
>> using their domain credentials. These users need to be able to add
>> computers to the domain, as they reinstall Windows often to test stuff
>> on a clean machines.
>>
>> If I don't allow them to connect to the file server unless their
>> system is a part of the domain, that will solve the problem.
>>
>> I feel that this should be such an obvious thing to do, but I have yet
>> to see any information on how to do this.
>>
>> Kevin
>>
>