Solved

How to present two different home directories when one AD account accessing two different server ?

Posted on 2014-03-20
10
371 Views
Last Modified: 2014-03-30
Hi People,

I'd like to know if it is possible for me to do something with Group policy or Citrix XenDesktop feature so that:

1. When my user account logon to Windows 7 VM-A I can access my home directories and normal company File server.

2. When my user account logon to Windows 7 VM-B I can access my other secure home directories and secure company File server without any access to the folder or home directories presented to VM-A

The File Server is Windows Server 2012 R2 Std Edition:

LUN1 is for normal home drive & File server
LUN2 is for secure home drive & Secure file server.

All of the VM is published by Citrix to the user are all Windows 7

How can I achieve that ?


Thanks
0
Comment
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 200 total points
ID: 39942171
How can I achieve that ?

By using two different user accounts.  Why don't you do that?  Or alternatively why don't you set up so that you can access the directories and file server from both VMs?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 39942187
Hi Blue,

No, I'd like to simplify the access to just using one AD account without too much confusion for the users.

The file server in LUN 1 can only be accessed by VM type 1 and Secure File server in LUN2 can only be accessed by VM type 2

This is due to the security requirement regarding the PCI DSS for Credit Card procesing environment.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 300 total points
ID: 39942215
You can give try with GP Preferences
You need to create one GPO and two home drives (1 for A workstation and 1 for B workstation) for users in GP preference
In the properties of Preference Item, go to common tab and set their item level targeting and filter based on specific criteria so that GPO can understand difference between two  type of workstation ( may be network subnets)
Once you done with setting up GPO apply this GPO to OU containing Computers and enable loop back processing in same GPO so that no matter who logged on to computer he will get appropriate home drive based on condition specified
Loop back processing can be found under computer configuration\administrative templates\System\Group Policy.
Enable Group policy loop back processing in replace mode. This is important step.

Check below post to work with GP Preferences and item level targeting

http://www.alexcomputerbubble.com/using-group-policy-preferences-gpp-to-map-user-home-drive/
http://nexus.realtimepublishers.com/content/?tip=creating-targeting-and-applying-group-policy-preferences

Mahesh
0
 
LVL 14

Assisted Solution

by:BlueCompute
BlueCompute earned 200 total points
ID: 39942230
OK, in that case I don' think you can do this with the 'Home Directories' feature.  you should be able to achieve the same result by using group policy preferences to map drives and use item level targeting to map different drives depending on which computer they are logged onto.

Item Level Targeting - this will allow you to apply drive maps based on a number of parameters, such as the computer name, OU, OS level etc:
http://technet.microsoft.com/en-us/library/cc733022.aspx

Mapping Drives using Group Policy Preferences:
http://technet.microsoft.com/en-us/library/cc770902.aspx
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39942593
should also work with login script
something like...

if %COMPUTERNAME%==VM-A net use f: \\server\LUN1
if %COMPUTERNAME%==VM-B net use f: \\server\LUN2
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 39943624
Seth,

With the login script above, can it be customized to recognized VM name pattern ?
Because this will be used for multiple user account on multiple VMs not one user with two VMs.

Thanks for the reply. Is there anyway to prevent users to access using unc path to the opposite LUN ?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 300 total points
ID: 39944571
If you have standard and secure workstations (VM) in different network segment, you can use GP Preferences based on network segment

If the same user is accessing TWO UNC paths from two different machines, then you can't restrict him from accessing shared paths (Opposite LUN) from active directory permissions \ NTFS permissions
Because ultimately user SID remains same on both shares and he can access the share if he wanted to....You may assign two user accounts per physical user and restrict each user to logon to appropriate workstations only through user AD properties \ accounts tab

The another workaround to this is to restrict TCP 445 (SMB) port from each VM to opposite LUN share

I am not aware how your network architecture is designed, if any hardware network firewall exists between LUNs and workstations, then this is possible

OR

if you have centrally managed Antivirus software like Symantec or Mcafee, you can achieve this through AV rules

OR

If you have LUNs mapped on windows based servers, you can enable windows firewall and block opposite workstation access to shares

Mahesh
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39945354
Use two accounts, I tells ya.  It's a much more secure approach anyway, and what you are trying to achieve is likely to be a big fat mess.

All Mahesh's comments are valid ways of doing this, but I don't think that what you are attempting to configure is an elegant solution.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 39946612
Blue,

I do have 2x different account for the IT Administration purpose as recommended by PCI-DSS v2.0 (soon to be 3.0), it is extra management efforts in managing those accounts. However, for the end user I'd like to give them simplicity in mind by not having to use 2x different user name.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
ID: 39947152
The best way to tackle this situation:

Create new GPO with multiple home drives through GP preferences for all users
This will be achieved via \\server1\home\%logonuser% and \\server2\home\%logonuser%
Further you need to restrict TCP 445 from workstations to opposite shared folders \ LUN

Once you do that, try separating computers with item level targeting. if this is not possible, still you get the required results because since network ports are blocked from workstations to opposite shared folder \ LUNs, opposite mapped home drives will not work due to port restrictions

Please note that you cannot achieve what you want with out of the box, you must use some sort of other infra resources to make this work
 
Hope that helps

Mahesh
0

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now