Click here to get back home

Can a Computer (so everyone who logs on on that computer) have access rights?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Can a Computer (so everyone who logs on on that computer) have access rights? Jan 01-12-2006
Posted by Jan on January 12, 2006, 6:50 am
Please log in for more thread options
 Hello,

I want a user to have access to a share and a printer only if they are
working on a specific computer.
The user should be able to log on to other computers as well but then they
shouldn't have access to the share and printer.
It's al happening in one domain.

I tried the folowing but it doesn't work!

I give the computer (machine) print- and access-rights.
I give the user login rights on the computer.
But then the user has no access rights .

Anyone?

Jan





Posted by Ondrej Sevecek on January 12, 2006, 7:02 am
Please log in for more thread options
 as of what I know, it is only possible to achieve this through use of IPSec
with computer certificates.

Unfortunately, the combination user-clientcomputer cannot be authenticated
nor denyed acces.

O.


> Hello,
>
> I want a user to have access to a share and a printer only if they are
> working on a specific computer.
> The user should be able to log on to other computers as well but then they
> shouldn't have access to the share and printer.
> It's al happening in one domain.
>
> I tried the folowing but it doesn't work!
>
> I give the computer (machine) print- and access-rights.
> I give the user login rights on the computer.
> But then the user has no access rights .
>
> Anyone?
>
> Jan
>
>
>
>



Posted by Ondrej Sevecek on January 12, 2006, 7:21 am
Please log in for more thread options
more notes:

- the IPSec can be used also as a simple statefull packet filtering firewall
whan established without certificates, it can simply filter requests by
source IP addreses or ranges of them.

- or you can use the Windows Firewall to filter out client computers that
are not allowed access.


O.



"Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
> as of what I know, it is only possible to achieve this through use of
> IPSec with computer certificates.
>
> Unfortunately, the combination user-clientcomputer cannot be authenticated
> nor denyed acces.
>
> O.
>
>
>> Hello,
>>
>> I want a user to have access to a share and a printer only if they are
>> working on a specific computer.
>> The user should be able to log on to other computers as well but then
>> they shouldn't have access to the share and printer.
>> It's al happening in one domain.
>>
>> I tried the folowing but it doesn't work!
>>
>> I give the computer (machine) print- and access-rights.
>> I give the user login rights on the computer.
>> But then the user has no access rights .
>>
>> Anyone?
>>
>> Jan
>>
>>
>>
>>
>
>



Posted by Roger Abell [MVP] on January 12, 2006, 9:31 pm
Please log in for more thread options
What you are after cannot be done directly and cheaply/simply.
If however you can have a machine that shares out the shares
that should be so restircted, then you can make it so that machine
will only accept connections from the machines on which you do
want users to be able to access the shares.
Then, if you combine this with login local rights on those accessing
machine, logon over network rights on the sharing-out machine,
and with share level and NTFS permissions you will have set up
the sharing scenario you are after. The cost is that the sharing
machine needs to be dedicated, and that if it is only for some users
that they are to be restricted to accessing those shares from only
certain machine (but other users should be able to access from
a larger set of machines) then you will have an involved set of
statements for the allow local login on the machine that can access
the sharing-out server.
As was said, W2k3 firewall, IPsec, or third-party firewall could
be used for the part about controlling what machines the server
that does the sharing will allow.

> Hello,
>
> I want a user to have access to a share and a printer only if they are
> working on a specific computer.
> The user should be able to log on to other computers as well but then they
> shouldn't have access to the share and printer.
> It's al happening in one domain.
>
> I tried the folowing but it doesn't work!
>
> I give the computer (machine) print- and access-rights.
> I give the user login rights on the computer.
> But then the user has no access rights .
>
> Anyone?
>
> Jan
>
>
>
>



Posted by JLeste on January 26, 2006, 4:41 pm
Please log in for more thread options
Jan wrote:
> Hello,
>
> I want a user to have access to a share and a printer only if they are
> working on a specific computer.
> The user should be able to log on to other computers as well but then they
> shouldn't have access to the share and printer.
> It's al happening in one domain.
>
> I tried the folowing but it doesn't work!
>
> I give the computer (machine) print- and access-rights.
> I give the user login rights on the computer.
> But then the user has no access rights .
>
> Anyone?
>
> Jan
>
>
>
>
If the computer is part of an AD domain? check out Group Policy loopback
settings (computer side). I can't remember everything you can do with
loopback settings, but I think you may be able to do what you're trying
to do. (Not sure)

Similar ThreadsPosted
How2: User Rights on Domain but Admin Rights on Computer December 20, 2006, 3:40 pm
sbs2003 and users rights on local computer July 5, 2007, 11:38 am
Computer access to ACL December 14, 2006, 12:02 am
Non-Domain computer access September 6, 2005, 3:47 pm
MAC computer access windows server October 4, 2005, 12:38 pm
prevent access to shared folder when not on a domain computer July 11, 2005, 8:50 pm
Questions on Authenticated Users and Access This Computer From Network User Right July 2, 2006, 8:38 pm
Autoenrollment problems - Enrollment access is not allowed to this template computer September 1, 2006, 4:02 pm
How to configure Domain access permissions for a user that would vary based on the computer they log into? June 21, 2006, 11:58 am
Rights to event logs June 15, 2005, 2:03 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap