Re: Preventing users from c onnecting to shares NOT on the domain..
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 01/21/05
- Next message: Richard G. Harper: "Re: Error Messag IPSC$"
- Previous message: Ed Horley: "Re: Utilising 2 NICs in one server for failover..."
- In reply to: Javier J: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Next in thread: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 21 Jan 2005 01:37:49 -0700
Since IPsec policy is a computer policy I do not believe
that you can deliver that in a way that is sensitve to whether
the current login is a member of this "Restricted" group of
users that suffer the desktop restriction. If you apply an
IPsec policy to this OU it will have effect at bootup of a
machine in that OU and for all logins.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Javier J" <no.mail@please.no> wrote in message news:uAhzqhw$EHA.3256@TK2MSFTNGP11.phx.gbl... > Hi! > > The servers might be located on the same subnet of some of the clients. > Not sure about that, would have to check the precise topology. > > The idea is: > These 30+ Client PCs should _only_ be able to access resources on > computers located on the Domain. > > IIRC, all the servers are located on the same OU, but as for their IP > addresses, I don't know if they're on the OU or not. > > To be more precise, the setup is as follows: > > + AD > - Users: Most users are placed on the default container > | > - OU=Restricted: Ou where we've placed the "secure" client PCs and > related users. > > THe OU has two GPOs, one for "Machine" and one for user. The "Machine" > GPO is set to apply to all Authenticad Users. The "User" GPO _only_ is > applied to the members of a "Restricted" group. > > The users of the "Restricted" group "suffer" a desktop as locked down as > I've managed to get (Redirected Folders, Roaming User Profiles deleted > on logoff, no "All Users" programs and folders, etc). The _ideal_ setup > would be one where the "restricted" can't connect to any non-domain PC, > while a "normal" user doesn't have to suffer any more restrictions than > necessary... > > The rest of the users/PCs on the domain should still be running "as is", > that's why I'm looking for policies / changes that can be implemented > per-OU. > > Is this possible with the solution you suggest? > > Thanks a lot > > Javier J > > Miha Pihler [MVP] wrote: > > Hi, > > > > Another question for you. Are servers on same subnet as clients? It would be > > a benefit it they were not. > > > > Yes Kerberos is domain wide but IPSec policy can be OU, Site or Domain (just > > like policies). So you can require IPSec for only a group of PCs (PCs that > > are in same OU). If you require this computers to communicate with other > > computers (servers) in domain while this servers are not in same domain some > > small changes would be required on OU where servers are located. This change > > would tell the servers to respond to IPSec requests. This would not be > > required if the servers are in their own subnet... > > > > Feel free to post back with any additional questions that you might have. I > > will do my best to answer them, but that might not be before some time > > tomorrow. I have some work to do and get some sleep... > >
- Next message: Richard G. Harper: "Re: Error Messag IPSC$"
- Previous message: Ed Horley: "Re: Utilising 2 NICs in one server for failover..."
- In reply to: Javier J: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Next in thread: Miha Pihler [MVP]: "Re: Preventing users from c onnecting to shares NOT on the domain.."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
