Re: Preventing users from c onnecting to shares NOT on the domain..
From: Javier J (no.mail_at_please.no)
Date: 01/20/05
- Previous message: Julian Dragut: "Re: user rights"
- In reply to: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Next in thread: Roger Abell: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Roger Abell: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Steven L Umbach: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Jan 2005 16:55:01 +0100
Hi!
The servers might be located on the same subnet of some of the clients.
Not sure about that, would have to check the precise topology.
The idea is:
These 30+ Client PCs should _only_ be able to access resources on
computers located on the Domain.
IIRC, all the servers are located on the same OU, but as for their IP
addresses, I don't know if they're on the OU or not.
To be more precise, the setup is as follows:
+ AD
- Users: Most users are placed on the default container
|
- OU=Restricted: Ou where we've placed the "secure" client PCs and
related users.
THe OU has two GPOs, one for "Machine" and one for user. The "Machine"
GPO is set to apply to all Authenticad Users. The "User" GPO _only_ is
applied to the members of a "Restricted" group.
The users of the "Restricted" group "suffer" a desktop as locked down as
I've managed to get (Redirected Folders, Roaming User Profiles deleted
on logoff, no "All Users" programs and folders, etc). The _ideal_ setup
would be one where the "restricted" can't connect to any non-domain PC,
while a "normal" user doesn't have to suffer any more restrictions than
necessary...
The rest of the users/PCs on the domain should still be running "as is",
that's why I'm looking for policies / changes that can be implemented
per-OU.
Is this possible with the solution you suggest?
Thanks a lot
Javier J
Miha Pihler [MVP] wrote:
> Hi,
>
> Another question for you. Are servers on same subnet as clients? It would be
> a benefit it they were not.
>
> Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain (just
> like policies). So you can require IPSec for only a group of PCs (PCs that
> are in same OU). If you require this computers to communicate with other
> computers (servers) in domain while this servers are not in same domain some
> small changes would be required on OU where servers are located. This change
> would tell the servers to respond to IPSec requests. This would not be
> required if the servers are in their own subnet...
>
> Feel free to post back with any additional questions that you might have. I
> will do my best to answer them, but that might not be before some time
> tomorrow. I have some work to do and get some sleep...
>
- Previous message: Julian Dragut: "Re: user rights"
- In reply to: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Next in thread: Roger Abell: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Roger Abell: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Reply: Steven L Umbach: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
