Re: Computer access to ACL
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Fri, 22 Dec 2006 14:17:46 -0700
"Jesper" <Jesper@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:574CA6B1-C340-4913-8023-E14CBC795EB6@xxxxxxxxxxxxxxxx
You could grant access to the NETWORK entity, but that would give access
to
everyone coming in from the network. There is no way to "give everyone on
host A access to shared info on host C, but block everyone on host B"
unless
you are willing to block ALL access from host B. In that case you can
grant
access to Everyone or NETWORK and set up an IPsec filter on host C that
allows access to TCP ports 445 and 139 from host A.
Yep.
It was at first surprising to me how often this use case
is asked about, Jesper, but then I stopped to consider.
Roger
"Roger Abell [MVP]" wrote:
Yes, that does clarify.
What you are after cannot be done directly.
All access is gated by the credentials of the process
attempting the access. Your users on the remote boxes
would be attempting the accesses as themselvers, not
as the machine they have logged into. Even if their
domain joined machine were granted access to the
share and underlying store, that would only enable
access by the machine's System account.
You users would need accounts that could be recognized
by the sharing server, and server hosting the DFS, for them
to have access. If they log in with machine local accounts
they could still access with the domain credentials or
credentials of the share and dfs hosting server. That could
also be "assisted" by their caching those credentials in the
cred manager on their XP (i.e. start/run control keymgr.dll)
<hbarker@xxxxxxxxx> wrote in message
news:1166075863.146712.182950@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I've got several remote machines (XPsignon14a, as an example) that I
want to give full write access to a certain directory on the file
server (dfs tree on server 2003) without tying them to a specific user
account, so that no matter who is logged into the machine they will
always have access to this directory (usually, users use local accounts
on xpsignon14a)
Hope this clarifies.
Cheers,
Hugh.
Roger Abell [MVP] wrote:
Please clarify what it is that you are trying to do.
give write permissions to several computers in myis ambiguous. You want to allow several computers
domain by adding them to the acl's, however when
I do so they are still denied access
to write what/where, and to get this going you have
attempted to grant what/where ?
<hbarker@xxxxxxxxx> wrote in message
news:1166072571.253487.268290@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I need to give write permissions to several computers in my domain
by
adding them to the acl's, however when I do so they are still denied
access, and I'm not sure why. Any pointers from someone who has done
this would be appreciated.
The users on these computers log onto the local machine.
Server is 2003, clients are XPSP2.
Thanks in advance.
.
- References:
- Computer access to ACL
- From: hbarker
- Re: Computer access to ACL
- From: Roger Abell [MVP]
- Re: Computer access to ACL
- From: hbarker
- Re: Computer access to ACL
- From: Roger Abell [MVP]
- Re: Computer access to ACL
- From: Jesper
- Computer access to ACL
- Prev by Date: Re: COM Process Blocked
- Next by Date: Why Do So Many Windows EXEs Require Write Attribute File Permissions?
- Previous by thread: Re: Computer access to ACL
- Next by thread: windows 2k - enabling acces to network connections for non-administrative users
- Index(es):
Relevant Pages
|
