Access control based on user AND computer identity possible?

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Access to files are the only concern.

User must be logged in to a specific workstation to access files on a
server.

Any support you can give is much appreciated!

Paul Nelson
nelson@thursby.com
2 answers Last reply
More about access control based user computer identity possible
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Paul,

    What are you really trying to do? Are you asking the following?:

    User jblow is logged on with his domain user account object to computer XYZ,
    which is located in the Computer Lab. He attempts to access a shared folder
    ( that he has as part of a logon script or manually uses net use.... or
    whatever ) and is successful.

    Now, for whatever reason user jblow needs to go up to the third floor. He
    uses his domain user account object and logs onto computer ABC. He attempts
    to access that very same shared folder. But this time he is denied.

    Is this what you want to accomplish?

    Not sure that you can do this? What is it that you need to do? Are there
    security issues involved? Seems like an obvious answer would be 'yes'! Are
    you trying to create a situation where people accessing FolderX and FolderY
    are in certain rooms ( where specific computers are physically located -
    perhaps in the Computer Lab as per above )?

    Have you considered allowing user jblow to log on to specific computers?
    Probably not really a solution.....

    It seems like you are pretty clear on what your needs are. However, I am
    not sure that this works that way. Typically both Share and NTFS
    permissions are based on group membership. Well, when done 'correctly'.
    Naturally, you can do this for individual user account objects and computer
    account objects.

    Have you tried using the explicit DENY applied to a group of computer
    account objects? So, to go with the example that I used above, to a group
    of all the computer account objects in your environment EXCEPT those in the
    Computer Lab ). Not sure that this would do the job, but maybe?

    --
    Cary W. Shultz
    Roanoke, VA 24012
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Paul Nelson" <nelson@thursby.com> wrote in message
    news:BE92759D.2D3A4%nelson@thursby.com...
    > Access to files are the only concern.
    >
    > User must be logged in to a specific workstation to access files on a
    > server.
    >
    > Any support you can give is much appreciated!
    >
    > Paul Nelson
    > nelson@thursby.com
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks for your interest.

    I have files provided by a security conscious third party.

    1) We want to keep the files on a dedicated domain member server.
    2) We only want the files to be used in special editing rooms where secure
    access is controlled (media can't be taken in or out).
    3) There are a number of these rooms, and editors may work in any one of
    them in a week's time.
    4) We want the editors to log into the client systems in the editing rooms
    using their normal domain credentials.

    In order for the file security to work in this environment, we want the
    editor users to only be able to access shares on the dedicated domain member
    server, and not be able to connect to shares on other domain servers. (This
    could be accomplished with firewall settings).

    Then we want to set up the dedicated member server so that connections are
    only allowed from the editing rooms.

    Using a firewall is hard to configure and maintain. It would be nice to be
    able to use some sort of ACL for this, but it appears that ACLs are simply
    one to one (one security object 'user' accessing one resource object
    'file').

    Is there any way to add a special right to the user when they log in to a
    workstation? Something that can't be spoofed?


    in article OX6pSqRUFHA.3188@TK2MSFTNGP09.phx.gbl, Cary Shultz [A.D. MVP] at
    cwshultz@mvps.org wrote on 5/4/05 9:31 PM:

    > Paul,
    >
    > What are you really trying to do? Are you asking the following?:
    >
    > User jblow is logged on with his domain user account object to computer XYZ,
    > which is located in the Computer Lab. He attempts to access a shared folder
    > ( that he has as part of a logon script or manually uses net use.... or
    > whatever ) and is successful.
    >
    > Now, for whatever reason user jblow needs to go up to the third floor. He
    > uses his domain user account object and logs onto computer ABC. He attempts
    > to access that very same shared folder. But this time he is denied.
    >
    > Is this what you want to accomplish?
    >
    > Not sure that you can do this? What is it that you need to do? Are there
    > security issues involved? Seems like an obvious answer would be 'yes'! Are
    > you trying to create a situation where people accessing FolderX and FolderY
    > are in certain rooms ( where specific computers are physically located -
    > perhaps in the Computer Lab as per above )?
    >
    > Have you considered allowing user jblow to log on to specific computers?
    > Probably not really a solution.....
    >
    > It seems like you are pretty clear on what your needs are. However, I am
    > not sure that this works that way. Typically both Share and NTFS
    > permissions are based on group membership. Well, when done 'correctly'.
    > Naturally, you can do this for individual user account objects and computer
    > account objects.
    >
    > Have you tried using the explicit DENY applied to a group of computer
    > account objects? So, to go with the example that I used above, to a group
    > of all the computer account objects in your environment EXCEPT those in the
    > Computer Lab ). Not sure that this would do the job, but maybe?
Ask a new question

Read More

Computers Active Directory Windows