Link to home
Start Free TrialLog in
Avatar of twgonder
twgonder

asked on

Local vs. domain login and file sharing security

Old mainframe guy getting up to speed on Win 2K and domains, and a new person to this site.

I have a Win 2000 domain controller with shared resources.  User A is setup with password B.  A Win XP client has the same user with the same password.  Now it would seem that the client computer and user shouldn't have access to the domain resources.  I mean, why allow access just because the password is the same (it could be null or something real smart like 'password').  

What is the point of having a domain and all those policies if a client computer can breeze right past?

I can't find any MS info on this issue to explain why this is allowed.  I know there must be a simple explanation.  Is there an equally simple fix to keep non-domain accounts from getting to resources?

Also, the client computer isn't found in Active Driectory Users and Computers>Computers.  If you try to logon as a domain user, you're blocked.  But, again, local logins breeze right in.  Same basic question of How & Why?
Avatar of Fatal_Exception
Fatal_Exception
Flag of United States of America image

Not quite sure about this question..  If your user (client) is a member of the domain, then they must authenticate to the domain controller..  At this point, they should be able to access whatever resources that you give them permission to access, via NTFS permissions..  

Or am I reading this wrong..??  

Also, these clients should be showing up in ADUC..  And DNS..  if they are not, then you probably have a DNS issue..  Ck your DNS and make sure that the resource records are getting populated correctly..

FE
Avatar of twgonder
twgonder

ASKER

The user logs on to the local workstation (not the domain) and has the password scenario described above.   They can get to network resources (shared files on domain controller).  Using the Active Directory Users and Computers (ADUC), the client computer isn't listed (because they never joined the domain).  No basic DNS problem as the client pings the server just fine.
Ahh..  yes, this is by default..  It is a feature that enables a Peer to Peer network to share resources...   This is the way it is supposed to work..   :)
I can accept that for a PTP, but not for a domain!
I have workgroup computers, using Windows XP Home Edition, which by default, cannot join a domain..  the way we get around this is to use this P2P quirk to access these resources...   Although this is not the best way, it is a workaround...   and in some of my client's situations, because they bought the wrong OS, it is one way to get it to work...

I'm not trying to get it to work, I'm trying to get it to not work.  Could there be some group policy setting for the domain that would lock out rouge computers from accessing the files?
SOLUTION
Avatar of Fatal_Exception
Fatal_Exception
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Another idea to secure this from a workstation...  Edit the Host file of the client..  make it point to itself when trying to access the DC or any other server on your network..

EX:

127.0.0.1  abc.local
for the shared folder remove the "everyone" group and add "domian users"
I dont think the problem is that the user has same password as a domain user, I think the problem is that this user has the rights necessary to access the share.

I think ryangclear is on to it.

Remove Everyone from the security tab and add Authenticated Users.

That should do the trick.

Hope this helps,

Daniel F.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks..

FE