Solved

I would like to restrict certain users from accessing a shared folder when not at their own workstation.

Posted on 2010-11-26
5
992 Views
Last Modified: 2012-05-10
I want to be able to restrict users access to certain folders, when they are not at their own workstation. This is to prohibit them from trying to access sensitive information from these folders, on workstations at other locations.

Thanks in advance

jt.
0
Comment
Question by:ICGIT
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:Seth_McCauley
ID: 34219660
I do not believe this is possible with the built-in security of Windows file shares, although there may be 3rd party security software that adds this feature.

Are all your file shares on one server? If not, you could restrict access to this file server to specific computers using the built-in firewall. The main catch with this is that it require the department accessing the share to be on it's own IP range or subnet. I know this isn't the most convenient method, but it may be your only option.

Hope this helps.
0
 

Author Comment

by:ICGIT
ID: 34241263
Hi Seth,

All shared folders are on one file server. I was thinking of assigning a group of machines acces to a folder but am not sure that is actually possible, as you already are implying. Can a user have cedrtain rights on one workstation which they don't have on others maybe??

thanks,

jt.
0
 
LVL 5

Accepted Solution

by:
Seth_McCauley earned 500 total points
ID: 34248813
No, not that I know of. I did some research and really racked my brain on this, and I do not believe there is a way to set NTFS or share-level permissions that are specific to a computer or group of computers. I can definately see where this would be useful behavior, however it just doesn't seem to exist. The best I've come up with are a few (somewhat messy) workarounds...

Create multiple network accounts for these users. The users would have one account that has access to the share (let's call it the "secure account" for now) and one that does not. You could then restrict the secure account to only logging into specific computers by using Active Directory user account settings to whitelist computers ("Logon To..."), or Group Policy to blacklist computers ("Deny Logon Locally"). Group Policy will be more convienient, because the AD method will require an up-to-date list of computer names and GP will just be applied to specific OUs.
Use something other than Windows file sharing. For example, you could setup a FTP/SFTP share for this sensitive data, then restrict FTP access to a specific IP range. 3rd Party FTP software might even let you specify IP ranges restrictions for each share.
Build seperate file servers for any data that can't leave a department. This server could be accessed by specific domain users, but only on the computers in that department. All other workstations would then be blocked in the Windows firewall on that server. In order to create that firewall rule, these computers would ideally be on a different subnet than the other workstations. However, given the confidentiality concerns with this data, putting these computers on a separate subnet would be a good idea regardless.
I know these are the solutions you were hoping for, but this at least gives you some alternatives to not restricting by computer at all.
0
 
LVL 5

Expert Comment

by:Seth_McCauley
ID: 34251412
Glad I could help!
0
 

Author Comment

by:ICGIT
ID: 34251895
Thanks Bro. I'm going with the eclusive workstations on a different subnet.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now