Can a Computer (so everyone who logs on on that computer) have access rights?

[Jan]

Hello,

I want a user to have access to a share and a printer only if they are
working on a specific computer.
The user should be able to log on to other computers as well but then they
shouldn't have access to the share and printer.
It's al happening in one domain.

I tried the folowing but it doesn't work!

I give the computer (machine) print- and access-rights.
I give the user login rights on the computer.
But then the user has no access rights .

Anyone?

Jan

 

[Ondrej Sevecek]

as of what I know, it is only possible to achieve this through use of IPSec
with computer certificates.

Unfortunately, the combination user-clientcomputer cannot be authenticated
nor denyed acces.

O.

 

[Ondrej Sevecek]

more notes:

- the IPSec can be used also as a simple statefull packet filtering firewall
whan established without certificates, it can simply filter requests by
source IP addreses or ranges of them.

- or you can use the Windows Firewall to filter out client computers that
are not allowed access.


O.

 

[Roger Abell [MVP]]

What you are after cannot be done directly and cheaply/simply.
If however you can have a machine that shares out the shares
that should be so restircted, then you can make it so that machine
will only accept connections from the machines on which you do
want users to be able to access the shares.
Then, if you combine this with login local rights on those accessing
machine, logon over network rights on the sharing-out machine,
and with share level and NTFS permissions you will have set up
the sharing scenario you are after. The cost is that the sharing
machine needs to be dedicated, and that if it is only for some users
that they are to be restricted to accessing those shares from only
certain machine (but other users should be able to access from
a larger set of machines) then you will have an involved set of
statements for the allow local login on the machine that can access
the sharing-out server.
As was said, W2k3 firewall, IPsec, or third-party firewall could
be used for the part about controlling what machines the server
that does the sharing will allow.

 

[JLeste]

Hello,

I want a user to have access to a share and a printer only if they are
working on a specific computer.
The user should be able to log on to other computers as well but then they
shouldn't have access to the share and printer.
It's al happening in one domain.

I tried the folowing but it doesn't work!

I give the computer (machine) print- and access-rights.
I give the user login rights on the computer.
But then the user has no access rights .

Anyone?

Jan

If the computer is part of an AD domain? check out Group Policy loopback
settings (computer side). I can't remember everything you can do with
loopback settings, but I think you may be able to do what you're trying
to do. (Not sure)

 

[Roger Abell [MVP]]

If the computer is part of an AD domain? check out Group Policy loopback
settings (computer side). I can't remember everything you can do with
loopback settings, but I think you may be able to do what you're trying to
do. (Not sure)

I do not believe loopback processing could offer a solution here.
What posteer is after is to control access on / to the remote resource
based ONLY on the originating system. I do not see what setting in
group policy could effect this, whether a setting of the user or of the
computer branch of policies. Loopback processing allows application
of user branch policies based on what machine is used - which does
sound close to what is needed. However, there is no policy that
controls the access which is checked and gated at the remote system,
except perhaps changing the group memberships of the account (but
what then happens when the account is simulateously logged in at
multiple machines?).