Sign in with
Sign up | Sign in
Your question

Access control based on user AND computer identity possible?

Last response: in Windows 2000/NT
Share
Anonymous
April 25, 2005 2:23:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Access to files are the only concern.

User must be logged in to a specific workstation to access files on a
server.

Any support you can give is much appreciated!

Paul Nelson
nelson@thursby.com
Anonymous
May 5, 2005 2:31:18 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Paul,

What are you really trying to do? Are you asking the following?:

User jblow is logged on with his domain user account object to computer XYZ,
which is located in the Computer Lab. He attempts to access a shared folder
( that he has as part of a logon script or manually uses net use.... or
whatever ) and is successful.

Now, for whatever reason user jblow needs to go up to the third floor. He
uses his domain user account object and logs onto computer ABC. He attempts
to access that very same shared folder. But this time he is denied.

Is this what you want to accomplish?

Not sure that you can do this? What is it that you need to do? Are there
security issues involved? Seems like an obvious answer would be 'yes'! Are
you trying to create a situation where people accessing FolderX and FolderY
are in certain rooms ( where specific computers are physically located -
perhaps in the Computer Lab as per above )?

Have you considered allowing user jblow to log on to specific computers?
Probably not really a solution.....

It seems like you are pretty clear on what your needs are. However, I am
not sure that this works that way. Typically both Share and NTFS
permissions are based on group membership. Well, when done 'correctly'.
Naturally, you can do this for individual user account objects and computer
account objects.

Have you tried using the explicit DENY applied to a group of computer
account objects? So, to go with the example that I used above, to a group
of all the computer account objects in your environment EXCEPT those in the
Computer Lab ). Not sure that this would do the job, but maybe?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Paul Nelson" <nelson@thursby.com> wrote in message
news:BE92759D.2D3A4%nelson@thursby.com...
> Access to files are the only concern.
>
> User must be logged in to a specific workstation to access files on a
> server.
>
> Any support you can give is much appreciated!
>
> Paul Nelson
> nelson@thursby.com
>
Anonymous
May 5, 2005 2:42:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for your interest.

I have files provided by a security conscious third party.

1) We want to keep the files on a dedicated domain member server.
2) We only want the files to be used in special editing rooms where secure
access is controlled (media can't be taken in or out).
3) There are a number of these rooms, and editors may work in any one of
them in a week's time.
4) We want the editors to log into the client systems in the editing rooms
using their normal domain credentials.

In order for the file security to work in this environment, we want the
editor users to only be able to access shares on the dedicated domain member
server, and not be able to connect to shares on other domain servers. (This
could be accomplished with firewall settings).

Then we want to set up the dedicated member server so that connections are
only allowed from the editing rooms.

Using a firewall is hard to configure and maintain. It would be nice to be
able to use some sort of ACL for this, but it appears that ACLs are simply
one to one (one security object 'user' accessing one resource object
'file').

Is there any way to add a special right to the user when they log in to a
workstation? Something that can't be spoofed?


in article OX6pSqRUFHA.3188@TK2MSFTNGP09.phx.gbl, Cary Shultz [A.D. MVP] at
cwshultz@mvps.org wrote on 5/4/05 9:31 PM:

> Paul,
>
> What are you really trying to do? Are you asking the following?:
>
> User jblow is logged on with his domain user account object to computer XYZ,
> which is located in the Computer Lab. He attempts to access a shared folder
> ( that he has as part of a logon script or manually uses net use.... or
> whatever ) and is successful.
>
> Now, for whatever reason user jblow needs to go up to the third floor. He
> uses his domain user account object and logs onto computer ABC. He attempts
> to access that very same shared folder. But this time he is denied.
>
> Is this what you want to accomplish?
>
> Not sure that you can do this? What is it that you need to do? Are there
> security issues involved? Seems like an obvious answer would be 'yes'! Are
> you trying to create a situation where people accessing FolderX and FolderY
> are in certain rooms ( where specific computers are physically located -
> perhaps in the Computer Lab as per above )?
>
> Have you considered allowing user jblow to log on to specific computers?
> Probably not really a solution.....
>
> It seems like you are pretty clear on what your needs are. However, I am
> not sure that this works that way. Typically both Share and NTFS
> permissions are based on group membership. Well, when done 'correctly'.
> Naturally, you can do this for individual user account objects and computer
> account objects.
>
> Have you tried using the explicit DENY applied to a group of computer
> account objects? So, to go with the example that I used above, to a group
> of all the computer account objects in your environment EXCEPT those in the
> Computer Lab ). Not sure that this would do the job, but maybe?
!