Click here to get back home

How to configure Domain access permissions for a user that would vary based on the computer they log into?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to configure Domain access permissions for a user that would vary based on the computer they log into? MrMiLo@nospam 06-21-2006
Get Chitika Premium
Posted by MrMiLo@nospam on June 21, 2006, 11:58 am
Please log in for more thread options
 How to configure Domain access permissions for a user that would vary based
on the computer they log into?

I have a server farm consisting of all windows 2003 servers with R2

All my workstations are Windows XP professional with SP2



What I would like is to be able to limit my users access to domain shares
(specifically DFS shares) so that these shares are only accessible while
they are logged into and using one of the Terminal Servers.

I do not want these shares accessible from the XP Pro workstations.



I would like to keep the XP Pro workstations on the domain so i can
implement some GPOs.

I really do not want to limit the XP systems networking (so users can still
do in-office printer sharing, etc) with Group Policies and I would prefer to
have the user use their same login and password for both the XP and Terminal
Server logins.



Does anyone know of any way to achieve this?


Thanks



Posted by Steven L Umbach on June 21, 2006, 2:36 pm
Please log in for more thread options
 You would have to configure access at the computer level and that could be
done in a couple of ways. If you could enable the Windows Firewall on the
servers with the shares you could specify the exception for file and print
sharing and then the IP addresses that are allowed access to file and print
sharing. For that to work well you would want to make sure that the user are
not local administrators on their computers and that the IPs in the allowed
list are static IPs. The other way would be to use ipsec to have an ipsec
require policy on the servers with the shares for at least the ports used
for file and print sharing and then making sure only the computers you want
to have access have a compatible ipsec policy and that the XP Pro computers
do not. Ipsec is a somewhat complex topic that requires a lot of planning,
testing, and special considerations for domain controllers. See the links
below if interested. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
http://support.microsoft.com/?kbid=254949 --- very important considerations
for implementing ipsec in a domain

> How to configure Domain access permissions for a user that would vary
> based on the computer they log into?
>
> I have a server farm consisting of all windows 2003 servers with R2
>
> All my workstations are Windows XP professional with SP2
>
>
>
> What I would like is to be able to limit my users access to domain shares
> (specifically DFS shares) so that these shares are only accessible while
> they are logged into and using one of the Terminal Servers.
>
> I do not want these shares accessible from the XP Pro workstations.
>
>
>
> I would like to keep the XP Pro workstations on the domain so i can
> implement some GPOs.
>
> I really do not want to limit the XP systems networking (so users can
> still do in-office printer sharing, etc) with Group Policies and I would
> prefer to have the user use their same login and password for both the XP
> and Terminal Server logins.
>
>
>
> Does anyone know of any way to achieve this?
>
>
> Thanks
>
>



Posted by MrMiLo@nospam on June 23, 2006, 3:40 pm
Please log in for more thread options
Thanks Steve, that is really a fine idea and I appreciate the time.

I may end up having to go this route but the way it is setup now, it seems
to kills off the XP ws access to sysvol. I don't see being able to use this
technique without adding servers to isolate the share functionality to a
pair of member servers.

This give me a different direction to think about as I was focusing on GPOs
and Permissions to target/limit the specific shares. Anyone else have any
ideas?

Thanks again.


> You would have to configure access at the computer level and that could be
> done in a couple of ways. If you could enable the Windows Firewall on the
> servers with the shares you could specify the exception for file and print
> sharing and then the IP addresses that are allowed access to file and
> print sharing. For that to work well you would want to make sure that the
> user are not local administrators on their computers and that the IPs in
> the allowed list are static IPs. The other way would be to use ipsec to
> have an ipsec require policy on the servers with the shares for at least
> the ports used for file and print sharing and then making sure only the
> computers you want to have access have a compatible ipsec policy and that
> the XP Pro computers do not. Ipsec is a somewhat complex topic that
> requires a lot of planning, testing, and special considerations for domain
> controllers. See the links below if interested. --- Steve
>
> http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
> http://support.microsoft.com/?kbid=254949 --- very important
> considerations for implementing ipsec in a domain
>
>> How to configure Domain access permissions for a user that would vary
>> based on the computer they log into?
>>
>> I have a server farm consisting of all windows 2003 servers with R2
>>
>> All my workstations are Windows XP professional with SP2
>>
>>
>>
>> What I would like is to be able to limit my users access to domain shares
>> (specifically DFS shares) so that these shares are only accessible while
>> they are logged into and using one of the Terminal Servers.
>>
>> I do not want these shares accessible from the XP Pro workstations.
>>
>>
>>
>> I would like to keep the XP Pro workstations on the domain so i can
>> implement some GPOs.
>>
>> I really do not want to limit the XP systems networking (so users can
>> still do in-office printer sharing, etc) with Group Policies and I would
>> prefer to have the user use their same login and password for both the XP
>> and Terminal Server logins.
>>
>>
>>
>> Does anyone know of any way to achieve this?
>>
>>
>> Thanks
>>
>>
>
>



Similar ThreadsPosted
Folder permissions based on computer name instead of user name June 21, 2008, 1:18 am
domain access control for local user of domain computer? April 3, 2008, 5:14 pm
How do I configure Terminal Services for 443 access only February 12, 2006, 10:37 am
Granting access based on user location August 12, 2005, 10:36 am
Access Based Enumeration on Domain Controllers ? February 26, 2007, 6:15 pm
Non-Domain computer access September 6, 2005, 3:47 pm
Questions on Authenticated Users and Access This Computer From Network User Right July 2, 2006, 8:38 pm
prevent access to shared folder when not on a domain computer July 11, 2005, 8:50 pm
PKI User certificate auto-enrollment for XP clients not logging onto domain computer May 18, 2007, 11:02 am
Access-based Enumeration September 8, 2005, 11:40 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap