Deny access to shared folder to specific machine

Hi all_
      My windows 2003 domain controller has a SATAbeast RAID Array attached to it.  This shows up on the server as six separate drives.  I have about 10 shared folders spread across the six drives.  This network is closed and has about 75 systems on it, all windows xp pro SP3.  A login script maps all 10 drives each time a user logs in.  I would like to deny access to all shares to five specific systems. I dont mind if they show up under my computer when a user logs in but i would like for it to say access denied if they try to open it.  Here is what i have tried....

I have created a security group and placed the five target systems in this group.  I then visited the share tab on each share, added the group and gave it deny all permissions, did not work.

I added each system individually to the share tab with deny permissions, did not work.

I tested this by logging on with a non-privileged account.

Anyone have any ideas!?!  Thank you very much.
MDAARCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Coast-ITCommented:
Are the drives formatted as NTFS?  You have to use NTFS to enable file level permissions.  A simple convert command will do the trick.
0
BobintheNocCommented:
Since the NTFS permissions are defined by USER accounts, it'd be tough to truly restrict those machines to only certain shares.

You could do a loopback policy that's user based that DOESN'T MAP those drives for the user when they login to that workstation, however if they have privilege to MAP or use NET USE, they could technically still get there if they're a little saavy.

You could also possibly use TWEAK UI to HIDE those drives.  Maybe even another script executing on those local machines to net use /d all the mappings you don't want.

If there were NO resources on the target server that these machines need access to, you could do a firewalling with IP restrictions to prevent those machines from reaching that particular server in any way.

0
MDAARCAuthor Commented:
Coast-IT_ thanks for your help!  Yes the drives are all NTFS.  I have the security as well as the share permissions on each drive set for full deny for the security group i created and users can still access the drive.  I am not familiar with the convert command....

BobintheNoc_  Thank you for your help also.  Users in the lab log into several different systems so i cannot block the shares based on user.  We are in the process of updating the script to exclude mapping any drives on the security group systems.  I am also going to do a registry edit to remove the option to map a drive on these five systems but unfortunately some of the users are savvy and know the path to the server and shared drives.  The server hosting the shares is also the domain controller so blocking these systems would also block them from authenticating.

Thanks again.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Byru SrikanthCommented:

Create a Security Group add the user profiles of whom you want to restrict.
Edit the Script such that only the specified 5 Shared drives will be mapped.
Now Create GP which when a specified profile logs it will pick from the security group and runs the script.
0
MDAARCAuthor Commented:
byru srikar_ thanks for your help.  I actually do not want to restrict users but machines.  I dont want any user who logs in to the five specific machines to be able to access the shares....  Thanks.
0
MDAARCAuthor Commented:
Found it!  In order to block shares from the set of systems i changed a registry setting on each of the five systems

HKLM\System\CurrentControlSet\Services\NetBT\Parameters

TransportBindName has a value of /device/, you just remove that leaving the field blank and the system can no longer access a share!

Thanks everyone.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.