Solved

Deny access to shared folder to specific machine

Posted on 2010-08-12
6
850 Views
Last Modified: 2013-12-04
Hi all_
      My windows 2003 domain controller has a SATAbeast RAID Array attached to it.  This shows up on the server as six separate drives.  I have about 10 shared folders spread across the six drives.  This network is closed and has about 75 systems on it, all windows xp pro SP3.  A login script maps all 10 drives each time a user logs in.  I would like to deny access to all shares to five specific systems. I dont mind if they show up under my computer when a user logs in but i would like for it to say access denied if they try to open it.  Here is what i have tried....

I have created a security group and placed the five target systems in this group.  I then visited the share tab on each share, added the group and gave it deny all permissions, did not work.

I added each system individually to the share tab with deny permissions, did not work.

I tested this by logging on with a non-privileged account.

Anyone have any ideas!?!  Thank you very much.
0
Comment
Question by:MDAARC
6 Comments
 
LVL 11

Expert Comment

by:Coast-IT
Comment Utility
Are the drives formatted as NTFS?  You have to use NTFS to enable file level permissions.  A simple convert command will do the trick.
0
 
LVL 7

Expert Comment

by:BobintheNoc
Comment Utility
Since the NTFS permissions are defined by USER accounts, it'd be tough to truly restrict those machines to only certain shares.

You could do a loopback policy that's user based that DOESN'T MAP those drives for the user when they login to that workstation, however if they have privilege to MAP or use NET USE, they could technically still get there if they're a little saavy.

You could also possibly use TWEAK UI to HIDE those drives.  Maybe even another script executing on those local machines to net use /d all the mappings you don't want.

If there were NO resources on the target server that these machines need access to, you could do a firewalling with IP restrictions to prevent those machines from reaching that particular server in any way.

0
 

Author Comment

by:MDAARC
Comment Utility
Coast-IT_ thanks for your help!  Yes the drives are all NTFS.  I have the security as well as the share permissions on each drive set for full deny for the security group i created and users can still access the drive.  I am not familiar with the convert command....

BobintheNoc_  Thank you for your help also.  Users in the lab log into several different systems so i cannot block the shares based on user.  We are in the process of updating the script to exclude mapping any drives on the security group systems.  I am also going to do a registry edit to remove the option to map a drive on these five systems but unfortunately some of the users are savvy and know the path to the server and shared drives.  The server hosting the shares is also the domain controller so blocking these systems would also block them from authenticating.

Thanks again.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Expert Comment

by:Byru Srikanth
Comment Utility

Create a Security Group add the user profiles of whom you want to restrict.
Edit the Script such that only the specified 5 Shared drives will be mapped.
Now Create GP which when a specified profile logs it will pick from the security group and runs the script.
0
 

Author Comment

by:MDAARC
Comment Utility
byru srikar_ thanks for your help.  I actually do not want to restrict users but machines.  I dont want any user who logs in to the five specific machines to be able to access the shares....  Thanks.
0
 

Accepted Solution

by:
MDAARC earned 0 total points
Comment Utility
Found it!  In order to block shares from the set of systems i changed a registry setting on each of the five systems

HKLM\System\CurrentControlSet\Services\NetBT\Parameters

TransportBindName has a value of /device/, you just remove that leaving the field blank and the system can no longer access a share!

Thanks everyone.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now