Re: Require connecting systems to be a Domain Computers
From: Kevin3DR (dont.spam_at_me.com)
Date: Fri, 10 Jun 2005 18:18:20 -0500
Yeah, it looks like that will work. Thank you again for your
I was hoping that it would be a little easier, like a local policy or
something in which I include the group Domain Computers.
On Fri, 10 Jun 2005 09:58:18 -0500, "Steven L Umbach"
>If you have an ipsec require policy on the server and use the default
>kerberos computer authentication for the ipsec SA then the computer must be
>a domain member to connect to the server. There are a couple of things to
>keep in mind. In such case the server must not be a domain controller, the
>ipsec require policy will need to exempt all domain controllers with a rule
>that has a permit filter action for all traffic and the domain controllers
>listed in a filter by their static IP addresses, and any domain client that
>needs to connect to that server will need to be ipsec capable and be using
>at least the ipsec respond/client policy. Ipsec policies should be
>thoroughly tested out on preferably a test domain or as least a test OU
>before implementing. You can use AH, ESP, or null encryption ESP if you do
>not the overhead of encryption. The links below may help. --- Steve
>applies to Windows 2003 also
>"Kevin3DR" <firstname.lastname@example.org> wrote in message
>> Does anyone know how to prohibit computers from connecting to a
>> Windows 2003 Server share unless the system they are connecting from
>> is a member of the domain.
>> I a few "power users" and developers who keep removing their systems
>> from the domain, and just connecting to the server by browsing and
>> using their domain credentials. These users need to be able to add
>> computers to the domain, as they reinstall Windows often to test stuff
>> on a clean machines.
>> If I don't allow them to connect to the file server unless their
>> system is a part of the domain, that will solve the problem.
>> I feel that this should be such an obvious thing to do, but I have yet
>> to see any information on how to do this.