|
Posted by Roger Abell [MVP] on December 22, 2006, 4:17 pm
Please log in for more thread options
> You could grant access to the NETWORK entity, but that would give access
> to
> everyone coming in from the network. There is no way to "give everyone on
> host A access to shared info on host C, but block everyone on host B"
> unless
> you are willing to block ALL access from host B. In that case you can
> grant
> access to Everyone or NETWORK and set up an IPsec filter on host C that
> allows access to TCP ports 445 and 139 from host A.
>
Yep.
It was at first surprising to me how often this use case
is asked about, Jesper, but then I stopped to consider.
Roger
> "Roger Abell [MVP]" wrote:
>
>> Yes, that does clarify.
>> What you are after cannot be done directly.
>> All access is gated by the credentials of the process
>> attempting the access. Your users on the remote boxes
>> would be attempting the accesses as themselvers, not
>> as the machine they have logged into. Even if their
>> domain joined machine were granted access to the
>> share and underlying store, that would only enable
>> access by the machine's System account.
>> You users would need accounts that could be recognized
>> by the sharing server, and server hosting the DFS, for them
>> to have access. If they log in with machine local accounts
>> they could still access with the domain credentials or
>> credentials of the share and dfs hosting server. That could
>> also be "assisted" by their caching those credentials in the
>> cred manager on their XP (i.e. start/run control keymgr.dll)
>> > I've got several remote machines (XPsignon14a, as an example) that I
>> > want to give full write access to a certain directory on the file
>> > server (dfs tree on server 2003) without tying them to a specific user
>> > account, so that no matter who is logged into the machine they will
>> > always have access to this directory (usually, users use local accounts
>> > on xpsignon14a)
>> >
>> > Hope this clarifies.
>> >
>> > Cheers,
>> > Hugh.
>> >
>> >
>> > Roger Abell [MVP] wrote:
>> >> Please clarify what it is that you are trying to do.
>> >> > give write permissions to several computers in my
>> >> > domain by adding them to the acl's, however when
>> >> > I do so they are still denied access
>> >> is ambiguous. You want to allow several computers
>> >> to write what/where, and to get this going you have
>> >> attempted to grant what/where ?
>> >>
>> >> > Hi,
>> >> > I need to give write permissions to several computers in my domain
>> >> > by
>> >> > adding them to the acl's, however when I do so they are still denied
>> >> > access, and I'm not sure why. Any pointers from someone who has done
>> >> > this would be appreciated.
>> >> >
>> >> > The users on these computers log onto the local machine.
>> >> >
>> >> > Server is 2003, clients are XPSP2.
>> >> >
>> >> > Thanks in advance.
>> >> >
>> >
>>
>>
>>
| 
XML Sitemap