|
Posted by Steven L Umbach on June 27, 2006, 4:43 pm
Please log in for more thread options
What I would do is to give that global group deny access this computer from
the network user right in Domain Security Policy. Then move the server that
has the share they need to access into a OU with a Group Policy linked to it
configured with the deny user right for access this computer from the
network defined but to not include that group. Then users in that group can
only access shares on that server. If the server has more than one share
give that group deny permissions for other shares on that server. It is also
possible to prevent users that logon to non domain computers to not be able
to access domain computers [other than domain controllers] that have a
require ipsec policy. If you consider ipsec be sure to read the
documentation on ipsec first and be sure to exempt domain controllers from
request/require ipsec policies by adding their IP address to a filter list
that is in a rule that has permit filter action. --- Steve
http://support.microsoft.com/?kbid=254949 --- important information before
deploying ipsec
> Steven L Umbach wrote:
>> Then consider either don't give domain users/users/everyone/authenticated
>> user permissions to any shares and instead give permissions to the global
>> groups you want to have access or give the global group deny permissions
>> to the shares you don't want them to access or deny access this computer
>> from the network user right for computers you don't want them to access
>> shares [other than domain controllers] on which can easily be managed via
>> Group Policy. Every time a user is created for the domain that user is
>> automatically added to the domain users group. --- Steve
>>
>>
>>
>>> Steven L Umbach wrote:
>>>> I do NOT recommend that you try to remove users from the domain users
>>>> group as a strategy to manage access to shares or any other reason.
>>>> Instead create global groups that contains the users that you want to
>>>> have access to each share and then grant those global groups
>>>> permissions to the shares and do not include users/domain
>>>> users/everyone/authenticated users in the access control list for share
>>>> permissions. -- Steve
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I have few shared folders on my w2k3 file server and most of them
>>>>> allow read access for the domain users group.
>>>>>
>>>>> I am trying to create a shared folder that only allows one group of
>>>>> users to access. This group of users should has no access to other
>>>>> shared folders. I created a new group and put all these users onto the
>>>>> group and removed the domain users group from the "member of" property
>>>>> of these users. So all these users are only member of the newly
>>>>> created group. However, they are still able to access the file on the
>>>>> shares that have read access for domain users.
>>>>>
>>>>> Can someone advice how I can change the ntfs/share permission so that
>>>>> I achieve my goal accordingly?
>>>>>
>>>>> Thanks
>>>>>
>>>>> OM
>>>>
>>> If the users still belong to the domain user group, they would be able
>>> to access to other shares that have access permission assigned to domain
>>> user group within the domain. I just want them to be able to access one
>>> single folder only. Thanks
>>
>>
>
> This newly created group is actually for user who logon from non-domain
> machines. All they need is just read access to one particular folder. We
> have many shares defined and it is difficult not to give domain user group
> access as we have different permissions defined on various folders within
> folders. Also, there will be too much management work if we use deny
> permission on so many shares.
>
| 
XML Sitemap