[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Deny access to shared folder to specific machine

Posted on 2010-08-12
6
Medium Priority
?
864 Views
Last Modified: 2013-12-04
Hi all_
      My windows 2003 domain controller has a SATAbeast RAID Array attached to it.  This shows up on the server as six separate drives.  I have about 10 shared folders spread across the six drives.  This network is closed and has about 75 systems on it, all windows xp pro SP3.  A login script maps all 10 drives each time a user logs in.  I would like to deny access to all shares to five specific systems. I dont mind if they show up under my computer when a user logs in but i would like for it to say access denied if they try to open it.  Here is what i have tried....

I have created a security group and placed the five target systems in this group.  I then visited the share tab on each share, added the group and gave it deny all permissions, did not work.

I added each system individually to the share tab with deny permissions, did not work.

I tested this by logging on with a non-privileged account.

Anyone have any ideas!?!  Thank you very much.
0
Comment
Question by:MDAARC
6 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33424149
Are the drives formatted as NTFS?  You have to use NTFS to enable file level permissions.  A simple convert command will do the trick.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 33424212
Since the NTFS permissions are defined by USER accounts, it'd be tough to truly restrict those machines to only certain shares.

You could do a loopback policy that's user based that DOESN'T MAP those drives for the user when they login to that workstation, however if they have privilege to MAP or use NET USE, they could technically still get there if they're a little saavy.

You could also possibly use TWEAK UI to HIDE those drives.  Maybe even another script executing on those local machines to net use /d all the mappings you don't want.

If there were NO resources on the target server that these machines need access to, you could do a firewalling with IP restrictions to prevent those machines from reaching that particular server in any way.

0
 

Author Comment

by:MDAARC
ID: 33424310
Coast-IT_ thanks for your help!  Yes the drives are all NTFS.  I have the security as well as the share permissions on each drive set for full deny for the security group i created and users can still access the drive.  I am not familiar with the convert command....

BobintheNoc_  Thank you for your help also.  Users in the lab log into several different systems so i cannot block the shares based on user.  We are in the process of updating the script to exclude mapping any drives on the security group systems.  I am also going to do a registry edit to remove the option to map a drive on these five systems but unfortunately some of the users are savvy and know the path to the server and shared drives.  The server hosting the shares is also the domain controller so blocking these systems would also block them from authenticating.

Thanks again.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Expert Comment

by:Byru Srikanth
ID: 33427639

Create a Security Group add the user profiles of whom you want to restrict.
Edit the Script such that only the specified 5 Shared drives will be mapped.
Now Create GP which when a specified profile logs it will pick from the security group and runs the script.
0
 

Author Comment

by:MDAARC
ID: 33429747
byru srikar_ thanks for your help.  I actually do not want to restrict users but machines.  I dont want any user who logs in to the five specific machines to be able to access the shares....  Thanks.
0
 

Accepted Solution

by:
MDAARC earned 0 total points
ID: 33432701
Found it!  In order to block shares from the set of systems i changed a registry setting on each of the five systems

HKLM\System\CurrentControlSet\Services\NetBT\Parameters

TransportBindName has a value of /device/, you just remove that leaving the field blank and the system can no longer access a share!

Thanks everyone.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Learn about cloud computing and its benefits for small business owners.
Loops Section Overview
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question