RE: Dialup Special Group
From: Greg (123@123.com)
Date: 11/25/02
- Next message: Neal Boxrud: "Exchange 2k admin from a remote XP desktop."
- Previous message: Dario Concilio [MCP]: "remote desktop su xp pro"
- In reply to: Jack Wang: "RE: Dialup Special Group"
- Next in thread: Jack Wang: "RE: Dialup Special Group"
- Reply: Jack Wang: "RE: Dialup Special Group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Greg" <123@123.com> Date: Mon, 25 Nov 2002 09:52:04 -0800
Sure I know what you're saying however you cannot add
people to the special security group DIALUP. That groups
membership is specific to what you do on the network.
Theoretically when you access the network through Routing
and Remote acess you become a member of the DIALUP group
automatically.
My purpose is due to a security policy. We have a certain
folder, we'll call it "secure", that cannot be accessed by
remote users. Certain users access this folder when in the
office but they cannont use VPN or DIAL-in when they have
permissions to access the "secure" Folder. Currently, if
they have permission to the "secure" folder we have to
manually disallow them use of VPN or Dial-in. We want them
to be able to VPN but at the same time they VPN they get
denied access to the "secure" folder. However, when they
are in the office they should be able to access this
folder. The way the DIALUP group is defined, it should
work by placing the DIALUP group on the "secure" folder
and set DENY permission and add a "secure" group RW. That
way when someone VPN's or Dial-in they become,
automatically, a member of the DIALUP group therefore
denied access when dialed in. And when they are in the
office they gain access to the "secure" folder via
the "secure group" and they are now not a member of the
DIALUP group since they are not VPN'd anymore.
FYI, you only see the DIALUP group when adding permissions
to a folder/file. You don't see it in Active Directory
since membership is controlled through the software.
Greg
>-----Original Message-----
>Hi Greg,
>
>After the user joins in the domain remotely, the
permissions of the user will be the same
>as the local user account unless you use another user
account to logon remotely. I
>understand that you can add the user in two groups such
as dialup and LAN. However,
>the user will be a member of the two groups no matter of
logging on locally or remotely.
>So, if the LAN group has the permission to access the
folder, the user will access the
>folder locally and remotely. If you deny the dialup group
to access the folder, the user
>will not access the folder even he logs on locally.
>
>Could you let me know the goal that you would like to
archive? Why do you need to
>deny the access permission of the folder when the user
logon remotely.
>
>Sincerely,
>Jack Wang
>Microsoft Online Support Professional
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>When responding to posts, please "Reply to Group" via
>your newsreader so that others may learn and benefit
>from your issue.
>=====================================================
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>--------------------
>| Content-Class: urn:content-classes:message
>| From: "Greg" <123@123.com>
>| Sender: "Greg" <123@123.com>
>| Subject: Dialup Special Group
>| Date: Fri, 22 Nov 2002 13:31:53 -0800
>| Lines: 30
>| Message-ID: <1172001c2926e$9392bb40
$8af82ecf@TK2MSFTNGXA03>
>| MIME-Version: 1.0
>| Content-Type: text/plain;
>| charset="iso-8859-1"
>| Content-Transfer-Encoding: 7bit
>| X-Newsreader: Microsoft CDO for Windows 2000
>| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>| Thread-Index: AcKSbpOSUwDz48EWRiGX8m61l3Km1Q==
>| Newsgroups: microsoft.public.win2000.security
>| Path: cpmsftngxa06
>| Xref: cpmsftngxa06
microsoft.public.win2000.security:43425
>| NNTP-Posting-Host: TK2MSFTNGXA03 10.40.1.48
>| X-Tomcat-NG: microsoft.public.win2000.security
>|
>| I would like to deny VPN (and/or Dialin) users access
to
>| a "Folder" when they are entering the Network remotely.
>| However, when the same user is in the network on the
LAN
>| they can gain access. To do this I was thinking about
>| adding the DIALUP special security group to the folder
and
>| DENY access and giving Domain Users RW access.
>|
>| Isn't the DIALUP security group a group that
>| controls membership based on what you are doing on the
>| network? As in, when you dial up (or go through R&R
Remote
>| Access) then you automatically become a member of this
>| group. Just like Authenticated User and Creator Owner.
>| Here is what I found on ms support as an explanation of
>| this group.
>|
>| SID: S-1-5-1
>| Name: Dialup
>| Description: A group that includes all users who have
>| logged on through a dial-up connection. Membership is
>| controlled by the operating system.
>|
>| So in theory a VPN user becomes a member of the DIALUP
>| group, therefore can be denied access when the group is
>| added to the permissions of the folder.
>|
>| I can't seem to get this to work. Any ideas? Or does
>| anyone know of an alternative method to accomplish this?
>|
>| Thanks,
>| Greg
>|
>
>
>.
>
- Next message: Neal Boxrud: "Exchange 2k admin from a remote XP desktop."
- Previous message: Dario Concilio [MCP]: "remote desktop su xp pro"
- In reply to: Jack Wang: "RE: Dialup Special Group"
- Next in thread: Jack Wang: "RE: Dialup Special Group"
- Reply: Jack Wang: "RE: Dialup Special Group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
