RE: Dialup Special Group

From: Jack Wang (jackwa@online.microsoft.com)
Date: 11/28/02 

From: jackwa@online.microsoft.com (Jack Wang)
Date: Thu, 28 Nov 2002 09:35:56 GMT

Hi Greg,

I have checked the Dialup group in VPN and RAS and found that the group could not be
used in this situation since the user will not be added into the Dialup group.

Sincerely,
Jack Wang
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Content-Class: urn:content-classes:message
| From: "Greg" <123@123.com>
| Sender: "Greg" <123@123.com>
| References: <1172001c2926e$9392bb40$8af82ecf@TK2MSFTNGXA03>
<W4g3OZDlCHA.1672@cpmsftngxa08>
| Subject: RE: Dialup Special Group
| Date: Mon, 25 Nov 2002 09:52:04 -0800
| Lines: 130
| Message-ID: <15a4401c294ab$5d6eb4d0$8af82ecf@TK2MSFTNGXA03>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcKUq11uDJQG8ePTSbKLR4z2Bj2g0A==
| Newsgroups: microsoft.public.win2000.security
| Path: cpmsftngxa08
| Xref: cpmsftngxa08 microsoft.public.win2000.security:42892
| NNTP-Posting-Host: TK2MSFTNGXA03 10.40.1.48
| X-Tomcat-NG: microsoft.public.win2000.security
|
| Sure I know what you're saying however you cannot add
| people to the special security group DIALUP. That groups
| membership is specific to what you do on the network.
| Theoretically when you access the network through Routing
| and Remote acess you become a member of the DIALUP group
| automatically.
|
| My purpose is due to a security policy. We have a certain
| folder, we'll call it "secure", that cannot be accessed by
| remote users. Certain users access this folder when in the
| office but they cannont use VPN or DIAL-in when they have
| permissions to access the "secure" Folder. Currently, if
| they have permission to the "secure" folder we have to
| manually disallow them use of VPN or Dial-in. We want them
| to be able to VPN but at the same time they VPN they get
| denied access to the "secure" folder. However, when they
| are in the office they should be able to access this
| folder. The way the DIALUP group is defined, it should
| work by placing the DIALUP group on the "secure" folder
| and set DENY permission and add a "secure" group RW. That
| way when someone VPN's or Dial-in they become,
| automatically, a member of the DIALUP group therefore
| denied access when dialed in. And when they are in the
| office they gain access to the "secure" folder via
| the "secure group" and they are now not a member of the
| DIALUP group since they are not VPN'd anymore.
|
| FYI, you only see the DIALUP group when adding permissions
| to a folder/file. You don't see it in Active Directory
| since membership is controlled through the software.
|
| Greg
| >-----Original Message-----
| >Hi Greg,
| >
| >After the user joins in the domain remotely, the
| permissions of the user will be the same
| >as the local user account unless you use another user
| account to logon remotely. I
| >understand that you can add the user in two groups such
| as dialup and LAN. However,
| >the user will be a member of the two groups no matter of
| logging on locally or remotely.
| >So, if the LAN group has the permission to access the
| folder, the user will access the
| >folder locally and remotely. If you deny the dialup group
| to access the folder, the user
| >will not access the folder even he logs on locally.
| >
| >Could you let me know the goal that you would like to
| archive? Why do you need to
| >deny the access permission of the folder when the user
| logon remotely.
| >
| >Sincerely,
| >Jack Wang
| >Microsoft Online Support Professional
| >
| >Get Secure! - www.microsoft.com/security
| >
| >=====================================================
| >When responding to posts, please "Reply to Group" via
| >your newsreader so that others may learn and benefit
| >from your issue.
| >=====================================================
| >
| >This posting is provided "AS IS" with no warranties, and
| confers no rights.
| >--------------------
| >| Content-Class: urn:content-classes:message
| >| From: "Greg" <123@123.com>
| >| Sender: "Greg" <123@123.com>
| >| Subject: Dialup Special Group
| >| Date: Fri, 22 Nov 2002 13:31:53 -0800
| >| Lines: 30
| >| Message-ID: <1172001c2926e$9392bb40
| $8af82ecf@TK2MSFTNGXA03>
| >| MIME-Version: 1.0
| >| Content-Type: text/plain;
| >| charset="iso-8859-1"
| >| Content-Transfer-Encoding: 7bit
| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| >| Thread-Index: AcKSbpOSUwDz48EWRiGX8m61l3Km1Q==
| >| Newsgroups: microsoft.public.win2000.security
| >| Path: cpmsftngxa06
| >| Xref: cpmsftngxa06
| microsoft.public.win2000.security:43425
| >| NNTP-Posting-Host: TK2MSFTNGXA03 10.40.1.48
| >| X-Tomcat-NG: microsoft.public.win2000.security
| >|
| >| I would like to deny VPN (and/or Dialin) users access
| to
| >| a "Folder" when they are entering the Network remotely.
| >| However, when the same user is in the network on the
| LAN
| >| they can gain access. To do this I was thinking about
| >| adding the DIALUP special security group to the folder
| and
| >| DENY access and giving Domain Users RW access.
| >|
| >| Isn't the DIALUP security group a group that
| >| controls membership based on what you are doing on the
| >| network? As in, when you dial up (or go through R&R
| Remote
| >| Access) then you automatically become a member of this
| >| group. Just like Authenticated User and Creator Owner.
| >| Here is what I found on ms support as an explanation of
| >| this group.
| >|
| >| SID: S-1-5-1
| >| Name: Dialup
| >| Description: A group that includes all users who have
| >| logged on through a dial-up connection. Membership is
| >| controlled by the operating system.
| >|
| >| So in theory a VPN user becomes a member of the DIALUP
| >| group, therefore can be denied access when the group is
| >| added to the permissions of the folder.
| >|
| >| I can't seem to get this to work. Any ideas? Or does
| >| anyone know of an alternative method to accomplish this?
| >|
| >| Thanks,
| >| Greg
| >|
| >
| >
| >.
| >
|