Re: How to restrict file access to Domain Computers Only
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 27 Aug 2006 11:04:52 -0500
That of course is normally a great solution but in this case it sounds like
the file server is the domain controller which means ipsec could not be
implemented as an ipsec require policy on a DC will cause problems with the
domain member computers. Since it is may be a small network some else
mentioned that this worked for them. They configured the users account
properties in ADUC so that they were restricted to what computer they could
logon to and then they could not access domain resources from a non domain
computer assuming that the non domain computer did not have a name in the
list. That never occurred to me that it would work for network logon and I
tried it out and sure enough it worked giving some obscure message when I
tired to access a domain share. While it is not a foolproof security
solution it may help in smaller networks. Alas as you said none of this will
most likely stop a determined user from copying files anyhow from their
domain computer.
Steve
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23aLYveeyGHA.4336@xxxxxxxxxxxxxxxxxxxxxxx
Search on ms.com for the guidance papers on using
IPsec for "doman isolation"
You could apply techniques from them to all only domain
members to have network traffic with the fileshare server.
However, your users could/would just save copies to their
workstations and copy to their non-domain laptops/devices
from there (or email the docs out).
Your attempt to accomplish this by setting permissions to
administrators and domain computers did not work because
the access is not being done by the domain computers but by
the account logged into the domain comp, so the check is
against that user account, not the computer account.
<none@xxxxxxxxx> wrote in message
news:et4BpBeyGHA.1300@xxxxxxxxxxxxxxxxxxxxxxx
Single Windows Server 2003. All workstations are Windows XP SP2.
I'm trying to restrict access to the shared files on the Server to
computers
that are members of the Domain and so far it isn't working out too well.
Basically, we are allowing people to bring in laptop computers and
connect
to our network for Internet access and for access to certain printers but
do
not want to allow access to any shared files on the Server. We don't
want
any files copied to a laptop and leaving the premises. These computers
are
Workgroup computers; not Domain computers. I tried setting the
Permissions
for the shared files to only allow access by Administrators and Domain
Computers, but this cut off access by all computers even though the
computers I tested with were clearly members of the Domain Computers
group.
Any idea what I'm missing here? Do the Permissions/Security settings
need
to be some combination of Domain Computers and Authenticated Users in
order
to accomplish this?
Please help.
Thanks.
James
.
- Follow-Ups:
- Re: How to restrict file access to Domain Computers Only
- From: Roger Abell [MVP]
- Re: How to restrict file access to Domain Computers Only
- From: James
- Re: How to restrict file access to Domain Computers Only
- References:
- How to restrict file access to Domain Computers Only
- From: none
- Re: How to restrict file access to Domain Computers Only
- From: Roger Abell [MVP]
- How to restrict file access to Domain Computers Only
- Prev by Date: Re: How to restrict file access to Domain Computers Only
- Next by Date: Re: How to restrict file access to Domain Computers Only
- Previous by thread: Re: How to restrict file access to Domain Computers Only
- Next by thread: Re: How to restrict file access to Domain Computers Only
- Index(es):
Relevant Pages
|
