?
Solved

how to make a folder accessed only by computers joining my domains????

Posted on 2008-10-14
9
Medium Priority
?
210 Views
Last Modified: 2012-05-05
Hello

i have a domain called rekabaint.com. i have one domain controller for it.
all of my environment is windows server 2008.
i have one folder on this domain controller and i want this folder to be accessed only by users logging from other computers but if their computers are members of my domains.
how can i do that?

i shared this folder and give full permissions to every one. in the security tab of this folder, i gave permission to domain users only. the problem is when some one logged to his computer using a local account. and click start -> run and write \\ipaddress, a screen appears asking him to enter his user name and password. if he does so, he will be able to access my folder. i do not want that. i want to enforce access to this folder to computers who join the domain and enter with a domain account. how can i do that??

regards
0
Comment
Question by:aft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 22710971
Grand rights to "Authenticated Users" and remove "Everyone"
0
 

Author Comment

by:aft
ID: 22711107
i think u did not read my question carefully. plz read it again

in the security tab, i gave access to domain users only
0
 
LVL 26

Expert Comment

by:Pber
ID: 22711595
I would also adjust the share permissions not to have Everyone, but Authenticated users as Pete mentioned.  I also personally don't give authenticated users anything higher than modify at the share.  This safeguards too much access, but that works for our environment.
So when the user is logging on locally and trying to access a domain share, he/she is then prompted for a username/password and then granted access?  This is normal and by design.
As long as the user can provide sufficient credentials to access the network resource, they should get in.  This can be either a local username/password on the target machine, a domain username/password or a even passthrough authentication via a local username/password that matches a domain password.
What username and password is the user using when prompted?  The local one or is it the domain one?  It is is the domain one, this is exactly how it is supposed to work.  If it is the local one, than either everyone access might be coming into play or the user is using passthrough because they have a matching domain username/password.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:aft
ID: 22712032
>>What username and password is the user using when prompted?
the domain one. but there is no way to make this folder shared only to users enter from computers that are member of domain but not member in a workgroup?????
0
 
LVL 26

Accepted Solution

by:
Pber earned 500 total points
ID: 22712805
Not really.  If the prompt is presented and you provide acceptable credentials, you're in.   By supplying the domain credentials, it's authenticating the user on the domain.
You could try playing with ipsec, read these articles to see if it may help:
http://technet.microsoft.com/en-us/library/cc782433.aspx 
http://windowsitpro.com/article/articleid/96927/use-ipsec-to-isolate-a-domain.html 
0
 

Author Comment

by:aft
ID: 22718455
so how can i enforce people to make their computers members of the domain. they must do that because i am installing some software (using group policy) that is needed for them to open the files in the shared directory ????????????????????
0
 
LVL 26

Expert Comment

by:Pber
ID: 22723291
That's where company policy comes into play.  All machines must be on the domain.
If possible, users should never be given admin rights on their machines.  Thus only Admins can add the machine to the domain.  This would prevent them from removing computers from the domain.   All new computers given to users would already be on the domain.
 
 
0
 

Author Comment

by:aft
ID: 22747275
but they can install a new copy of the windows and use it to login locally to their machine
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month13 days, 11 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question