Re: How to restrict file access to Domain Computers Only
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sun, 27 Aug 2006 22:02:42 -0700
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23xYpIKfyGHA.4392@xxxxxxxxxxxxxxxxxxxxxxx
That of course is normally a great solution but in this case it sounds
like the file server is the domain controller which means ipsec could not
be implemented as an ipsec require policy on a DC will cause problems with
the
Good catch Steve, I overlooked the "single server" part of the post.
(but IPsec can, just not simply, be used on a DC).
domain member computers. Since it is may be a small network some else
mentioned that this worked for them. They configured the users account
properties in ADUC so that they were restricted to what computer they
could logon to and then they could not access domain resources from a non
domain computer assuming that the non domain computer did not have a name
in the list. That never occurred to me that it would work for network
logon and I
But, I log into my domain workstation and map a drive that is shared by
my plugged in laptop at 10.0.1.53, i.e. \\10.0.1.63\stash$
tried it out and sure enough it worked giving some obscure message when I
tired to access a domain share. While it is not a foolproof security
solution it may help in smaller networks. Alas as you said none of this
will most likely stop a determined user from copying files anyhow from
their domain computer.
Steve
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23aLYveeyGHA.4336@xxxxxxxxxxxxxxxxxxxxxxx
Search on ms.com for the guidance papers on using
IPsec for "doman isolation"
You could apply techniques from them to all only domain
members to have network traffic with the fileshare server.
However, your users could/would just save copies to their
workstations and copy to their non-domain laptops/devices
from there (or email the docs out).
Your attempt to accomplish this by setting permissions to
administrators and domain computers did not work because
the access is not being done by the domain computers but by
the account logged into the domain comp, so the check is
against that user account, not the computer account.
<none@xxxxxxxxx> wrote in message
news:et4BpBeyGHA.1300@xxxxxxxxxxxxxxxxxxxxxxx
Single Windows Server 2003. All workstations are Windows XP SP2.
I'm trying to restrict access to the shared files on the Server to
computers
that are members of the Domain and so far it isn't working out too well.
Basically, we are allowing people to bring in laptop computers and
connect
to our network for Internet access and for access to certain printers
but do
not want to allow access to any shared files on the Server. We don't
want
any files copied to a laptop and leaving the premises. These computers
are
Workgroup computers; not Domain computers. I tried setting the
Permissions
for the shared files to only allow access by Administrators and Domain
Computers, but this cut off access by all computers even though the
computers I tested with were clearly members of the Domain Computers
group.
Any idea what I'm missing here? Do the Permissions/Security settings
need
to be some combination of Domain Computers and Authenticated Users in
order
to accomplish this?
Please help.
Thanks.
James
.
- Follow-Ups:
- Re: How to restrict file access to Domain Computers Only
- From: Steven L Umbach
- Re: How to restrict file access to Domain Computers Only
- References:
- How to restrict file access to Domain Computers Only
- From: none
- Re: How to restrict file access to Domain Computers Only
- From: Roger Abell [MVP]
- Re: How to restrict file access to Domain Computers Only
- From: Steven L Umbach
- How to restrict file access to Domain Computers Only
- Prev by Date: Certification Authority Windows 2003 SBS
- Next by Date: Re: How to restrict file access to Domain Computers Only
- Previous by thread: Re: How to restrict file access to Domain Computers Only
- Next by thread: Re: How to restrict file access to Domain Computers Only
- Index(es):
Relevant Pages
|
|
