Windows: How can I grant permission to a windows share to users logged on only to a particular workstation?

I have an Active Directory Windows domain with many users and many workstations.  I would like to create a share on a server that is accessible only to a particular group of users, and only when they are logged on to a particular workstation.

That is, I want user Alice to be able to access the files on the share (which is, let's say, located at \\MyServer\MyData) but only if Alice is logged on to workstation \\MyWorkstation.  If Alice is logged in anywhere else, I do not want her to have access?  (A use case would be a server share that we want accessible only from a particular workstation in a secure location that is regularly audited for malware.)

Is there any way to do this, even if convoluted?  We can arrange to have the server running Windows 2008 R2 or Server 2012.
jwmanlyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

awawadaCommented:
I would create a new organizational unit (OU) and add all the Workstations you need to have \\MyServer\MyData. Create the share also with $ so that is hiden.
Now you can create a new Group Policy Object (GPO) to map that share. After link that GPO to the OU.
jwmanlyAuthor Commented:
Thanks, but that only protects the share by hiding it.  Anyone who knows about it would be able to map it explicitly by just using "\\MyServer\MyData$".  What I'm looking for is a permission model that will prevent access by other users or by authorized users from unauthorized workstations.  It's the "from unauthorized workstations" part that makes this hard.
CaptainMidnightCommented:
After reviewing  your requirements, my first thought is that you will need to include Group Policy Computer and User Security settings, in combination with AD Workstation and User Groups, and NTFS permissions on the server share.

Unfortunately, I'm not at work at this hour and I can't test and recommend specific settings. But I don't think you can do this with AD Groups alone. I'm pretty sure that Group Policies is your 'missing link'.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

jwmanlyAuthor Commented:
After no further followup, and doing some additional research myself, it does not appear that it is possible to do what I want in terms of controlling access to a share by a user but only when the user is logged in to a particular workstation.  It is just not something supported by the Windows permission model.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jwmanlyAuthor Commented:
It does not appear possible to do this.
akbCommented:
I just had a thought about this.
You could set up another user on the domain (say Jim) and give that user access to the share.
Then log in to Alice's account on \\MyWorkstation.
Then browse to \\MyServer\MyData and when (if) it asks for credentials, supply Jim's credentials and tick the Remember tick box.
If it doesn't ask for credentials you may be able to map the share and tick "Connect using different credentials".
I haven't tried it but it may work.
akbCommented:
And another thought... (which I just tried - and it seems to work):
Open a cmd prompt on \\MyWorkstation.
Instead of mapping \\MyServer\MyData, map using the IP address instead.
e.g. net use Z: "\\192.168.1.123\MyData" /user:jim /savecred /persistent:yes

Reason for using the IP address is that you can only use one user's credentials to connect to a server. If you are already connecting with Alice then it won't let you use Jim. You can trick it into thinking it is a different server by using the IP address instead. You did say "even if convoluted".

By using /savecred and /persistent:yes it will automatically connect next time Alice is logged in so there is no need to share the password with Alice.
jwmanlyAuthor Commented:
Thanks for the suggestion.  That might work sufficiently well for the particular need we have.
CaptainMidnightCommented:
Here's the simple five-step solution I was contemplating. Technically, it adheres to the Microsoft permission model:

1) Create a security group called 'Allow Users MyData' that contains Alice and her friends.
2) Create a security group called 'Deny Computers MyData' that contains all workstations except \\MyWorkstation.
3) Remove 'Everyone' and add the groups 'Allow Users MyData' and 'Deny Computers MyData' to the NTFS security permissions of  \\MyServer\MyData.
4) Set 'Allow Users MyData' permissions to 'This folder, subfolders, and files'.
5) Set 'Deny Computers MyData' to Deny access to 'This folder, Subfolders, and files'.

Follow the usual good practices of not permitting 'Allow Users MyData' 'Full Control' to take ownership and/or change permissions of MyData or its contents and break your security.

This works "because Computers are also actual principals like Users". (Ref TechNet: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5ce27d9f-54ed-4a29-bf9b-d9e1dd052a6e/file-sharing-restrict-share-access-based-on-computer-account-not-user-account?forum=winserverfiles)

I originally thought of leveraging  Group Policy because of its ability to use a 'Select' filter to programmatically (dynamically) select all workstations except \\MyWorkstation in an effort simplify maintenance of 'Deny Computers MyData', but I wasn't able to find a sane way to associate a Group Policy with permissions of shared folders.

Please let us know if and how you eventually solve the problem. If you do, add 'SOLVED!' to the thread title, as it may be the only Google-ably accurate answer to this dilemma.

Cheers!
akbCommented:
CaptainMidnight's solution may work but you would need to remember to add any new PC to the exclusion group.
CaptainMidnightCommented:
No doubt about it. That's why I thought about Group Policy's ability to dynamically (not) select objects with WMI. I just couldn't come up with something GP could do that would indirectly control access to a server's NTFS permissions or share.

The other thing that's a caution flag with my method is using Deny permissions - they supersede Allows and can quickly get admins in trouble if not thought out thoroughly.

But as we acknowledged, the OP asked for "any way to do this, even if convoluted"...
CaptainMidnightCommented:
@jwmanly Two tested solutions were offered.
Please let us know if or how you solved this problem.
jwmanlyAuthor Commented:
Um, OK.  So since back on 12/17/15 I accepted my own comment (saying this couldn't be done since I hadn't heard anything viable for two months), I no longer have any buttons on this question that I can find to accept any further comment as a solution.  So while both your and akb's suggestions seem reasonable (given my "I don't care about complexity" caveat) I don't see how to give either of you credit other than flagging your comments as "Good Comments".

As far as the actual problem itself is concerned, in the two months after i asked it when it looked like it couldn't be done, we've moved on to other projects.  So for now I'm just keeping your suggestions in my back pocket for when the need arises again.
akbCommented:
I'm just happy to help. Don't really care about the points.
CaptainMidnightCommented:
Same here.

When I Googled this subject, I was surprised to find so many flat out statements that this can't be done at all. At least we've demonstrated that it's possible.
jwmanlyAuthor Commented:
Yes, please reopen.  Thank you.  Credit should go where it's due.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.