?
Solved

Deny access to shared folder to specific machine

Posted on 2010-08-12
6
Medium Priority
?
858 Views
Last Modified: 2013-12-04
Hi all_
      My windows 2003 domain controller has a SATAbeast RAID Array attached to it.  This shows up on the server as six separate drives.  I have about 10 shared folders spread across the six drives.  This network is closed and has about 75 systems on it, all windows xp pro SP3.  A login script maps all 10 drives each time a user logs in.  I would like to deny access to all shares to five specific systems. I dont mind if they show up under my computer when a user logs in but i would like for it to say access denied if they try to open it.  Here is what i have tried....

I have created a security group and placed the five target systems in this group.  I then visited the share tab on each share, added the group and gave it deny all permissions, did not work.

I added each system individually to the share tab with deny permissions, did not work.

I tested this by logging on with a non-privileged account.

Anyone have any ideas!?!  Thank you very much.
0
Comment
Question by:MDAARC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33424149
Are the drives formatted as NTFS?  You have to use NTFS to enable file level permissions.  A simple convert command will do the trick.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 33424212
Since the NTFS permissions are defined by USER accounts, it'd be tough to truly restrict those machines to only certain shares.

You could do a loopback policy that's user based that DOESN'T MAP those drives for the user when they login to that workstation, however if they have privilege to MAP or use NET USE, they could technically still get there if they're a little saavy.

You could also possibly use TWEAK UI to HIDE those drives.  Maybe even another script executing on those local machines to net use /d all the mappings you don't want.

If there were NO resources on the target server that these machines need access to, you could do a firewalling with IP restrictions to prevent those machines from reaching that particular server in any way.

0
 

Author Comment

by:MDAARC
ID: 33424310
Coast-IT_ thanks for your help!  Yes the drives are all NTFS.  I have the security as well as the share permissions on each drive set for full deny for the security group i created and users can still access the drive.  I am not familiar with the convert command....

BobintheNoc_  Thank you for your help also.  Users in the lab log into several different systems so i cannot block the shares based on user.  We are in the process of updating the script to exclude mapping any drives on the security group systems.  I am also going to do a registry edit to remove the option to map a drive on these five systems but unfortunately some of the users are savvy and know the path to the server and shared drives.  The server hosting the shares is also the domain controller so blocking these systems would also block them from authenticating.

Thanks again.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Expert Comment

by:Byru Srikanth
ID: 33427639

Create a Security Group add the user profiles of whom you want to restrict.
Edit the Script such that only the specified 5 Shared drives will be mapped.
Now Create GP which when a specified profile logs it will pick from the security group and runs the script.
0
 

Author Comment

by:MDAARC
ID: 33429747
byru srikar_ thanks for your help.  I actually do not want to restrict users but machines.  I dont want any user who logs in to the five specific machines to be able to access the shares....  Thanks.
0
 

Accepted Solution

by:
MDAARC earned 0 total points
ID: 33432701
Found it!  In order to block shares from the set of systems i changed a registry setting on each of the five systems

HKLM\System\CurrentControlSet\Services\NetBT\Parameters

TransportBindName has a value of /device/, you just remove that leaving the field blank and the system can no longer access a share!

Thanks everyone.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month12 days, 11 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question