Re: Authenicated Users Query

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/02/05

• Next message: Edward W. Ray: "Changing machine startup sequence in the registry"
• Previous message: Lee: "Re: Restricting Domain Admins"
• In reply to: gmickelsen: "Authenicated Users Query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 2 Jun 2005 14:25:21 -0500

If the account that the user is logged onto on the non domain computer has
the same logon name password as a user account in the domain then that user
can gain access to the share. If you have auditing of logon events enabled
for that server you will see a type 3 logon events recorded at the time that
computer user was able to access the share. If you want to restrict access
to only from domain computers you would have to enable an ipsec require
policy for that computer with the exception that domain controllers can not
use ipsec AH/ESP for communications with domain computers but otherwise it
would work because ipsec negotiation policy requires by default kerberos
authentication for computer accounts before the ipsec policy can be
sed. --- Steve

"gmickelsen" <gmickelsen@discussions.microsoft.com> wrote in message
news:399E5C8C-9208-48E4-B3FE-8722697A90F8@microsoft.com...
> Simplified Scenario of our configuration:
>
> We have a W2K3 DC which hosts a share (share permissions:
> Authenticated Users = Read Access;
> NTFS permission :Administrators = Full Control)
>
> We have a PC (not part of the domain, but in its own workgroup). This PC
> can
> open the share on the server when logged in as a local administrator and
> see
> the contents.
>
> Firstly, shouldn't the fact that no users (apart from Administrators)
> prevent the local user on this PC from being able to open the share?
> Or are the permissions combined?
>
> Secondly, shouldn't Authenticated Users only allow users who are logged on
> to the domain to access the resource?
>
> I'm sure this is quite a simple query for many of you.
> Many thanks in advance.
>
>
>

---

• Next message: Edward W. Ray: "Changing machine startup sequence in the registry"
• Previous message: Lee: "Re: Restricting Domain Admins"
• In reply to: gmickelsen: "Authenicated Users Query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: logon/power-users group question ... users to the power users group (via My computer>Properties>Computer ... and then logon to the computer with that account to bypass domain ... > You can limit logon to domain computers in a couple of ways. ... (microsoft.public.windows.server.security) Re: auditing ... You would have to enable auditing of logon events for domain machines. ... to only enable auditing of failures on domain computers that are not resource ... logon attempts using your account. ... (microsoft.public.win2000.security) Re: install printers based on the active directory OU by pushing a machine startup script ... Alan Bastanpour schrieb: ... The access denied message is coming from the local ... It appears the "Domain Computers" account doesn't have enough ... (microsoft.public.windows.group_policy) Re: what is that best way to install program? ... You are correct in your concern about using a domain admin account. ... opinion a domain administrator should never logon to a domain computer that ... administrators group on domain computers in that OU. ... (microsoft.public.windows.server.security) Re: GPO questions ... case block inheritance at the OU would mean that the password/account policy ... settings defined in Local Security Policy of the domain computers in that OU ... account which would be disabled by default. ... > policy is set at the domain level and the Block Policy Inheritance option ... (microsoft.public.cert.exam.mcse)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)