Re: I need a method a way to ONLY allow computers in domain to login

From: Herb Martin (news_at_LearnQuick.com)
Date: 08/11/03 

Date: Sun, 10 Aug 2003 21:32:53 -0500

> I always thought that if you did have an account in the domain, that
> you could not access network resources.
> I now have the following scenario.
> People bring their XP laptops from home. The have local logins.
> Once logged in locally, they then access the network server

First step is to distinguish "login/logon" from "authenticate"
and "using resources".

You must be authenticated to use resources (if they are
secured of course.)

You must authenticate TO logon (it's the first step).

You can authenticate without logging on.

One way to force them to logon to a domain machine (instead
of just manually authenticating from a non-domain machine)
is to use IPSec, kerberos authentication.

You don't have to actually encrypt all the packet, just make the
police use AH (authentication of packet data) -- no non-Domain
(trust or forest too of course) will be able to touch your servers
so authentication of the user alone is not sufficient to access
resources.

The MACHINES much also authenticate if you force all to use
IPSec (for internal network ranges.)

Relevant Pages

  • RE: CIFS and Windows Server 2003
    ... current version you are using is compatible with Windows 2003 server. ... Microsoft Online Partner Support ... |using this server to authenticate users trying to access NetBIOS ... |resources on the HPUX box. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outgoing mail
    ... > you didn't authenticate to their server (to prove you have permission to ... > use their resources) and since you are coming from a different domain, ... > If you are ON the same network as the mail server that you want to use, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: How to change domain name?
    ... parallel migration and migrate all the users and resources from the NT ... > of joesfruitemporium.com with the old NT domain as 'apples'. ... > login they use the old NTdomain of apples\username to authenticate. ...
    (microsoft.public.win2000.active_directory)
  • Authentication in a multi-domain forest
    ... I'm looking for a bit of information about how clients in one domain can authenticate to resources in another domain (provided that both are in the same forest, with all default transitive trusts in place and no shortcut trusts.) ... What we have noticed in our environment, similar to the one above, is that if a sales user logs on to a computer in the research domain, and attempts to access a resource in the company domain, there are requests for Kerberos and LDAP that go to the root, company.com DCs. ... I thought that the user would authenticate to their DC, and that credentials would be passed from DC to DC. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outlook SMTP server problem
    ... on the dormnet network I can no longer use the att smtp server. ... have not proven that you have rights to use their resources because ... authenticate to the SMTP server. ...
    (microsoft.public.outlook)