Require connecting systems to be a Domain Computers



Kevin3DR
07-09-2005, 11:53 PM
Does anyone know how to prohibit computers from connecting to a
Windows 2003 Server share unless the system they are connecting from
is a member of the domain.

I a few "power users" and developers who keep removing their systems
from the domain, and just connecting to the server by browsing and
using their domain credentials. These users need to be able to add
computers to the domain, as they reinstall Windows often to test stuff
on a clean machines.

If I don't allow them to connect to the file server unless their
system is a part of the domain, that will solve the problem.

I feel that this should be such an obvious thing to do, but I have yet
to see any information on how to do this.

Kevin

Steven L Umbach
07-09-2005, 11:53 PM
If you have an ipsec require policy on the server and use the default
kerberos computer authentication for the ipsec SA then the computer must be
a domain member to connect to the server. There are a couple of things to
keep in mind. In such case the server must not be a domain controller, the
ipsec require policy will need to exempt all domain controllers with a rule
that has a permit filter action for all traffic and the domain controllers
listed in a filter by their static IP addresses, and any domain client that
needs to connect to that server will need to be ipsec capable and be using
at least the ipsec respond/client policy. Ipsec policies should be
thoroughly tested out on preferably a test domain or as least a test OU
before implementing. You can use AH, ESP, or null encryption ESP if you do
not the overhead of encryption. The links below may help. --- Steve

http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 ---
applies to Windows 2003 also

"Kevin3DR" <dont.spam@me.com> wrote in message
news:un7ja1hqsj54rvpnndfr1v1hjijo1e3o4o@4ax.com...
> Does anyone know how to prohibit computers from connecting to a
> Windows 2003 Server share unless the system they are connecting from
> is a member of the domain.
>
> I a few "power users" and developers who keep removing their systems
> from the domain, and just connecting to the server by browsing and
> using their domain credentials. These users need to be able to add
> computers to the domain, as they reinstall Windows often to test stuff
> on a clean machines.
>
> If I don't allow them to connect to the file server unless their
> system is a part of the domain, that will solve the problem.
>
> I feel that this should be such an obvious thing to do, but I have yet
> to see any information on how to do this.
>
> Kevin
>

Kevin3DR
07-09-2005, 11:53 PM
Yeah, it looks like that will work. Thank you again for your
assistance.

I was hoping that it would be a little easier, like a local policy or
something in which I include the group Domain Computers.

Oh well.



On Fri, 10 Jun 2005 09:58:18 -0500, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>If you have an ipsec require policy on the server and use the default
>kerberos computer authentication for the ipsec SA then the computer must be
>a domain member to connect to the server. There are a couple of things to
>keep in mind. In such case the server must not be a domain controller, the
>ipsec require policy will need to exempt all domain controllers with a rule
>that has a permit filter action for all traffic and the domain controllers
>listed in a filter by their static IP addresses, and any domain client that
>needs to connect to that server will need to be ipsec capable and be using
>at least the ipsec respond/client policy. Ipsec policies should be
>thoroughly tested out on preferably a test domain or as least a test OU
>before implementing. You can use AH, ESP, or null encryption ESP if you do
>not the overhead of encryption. The links below may help. --- Steve
>
>http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 ---
>applies to Windows 2003 also
>
>"Kevin3DR" <dont.spam@me.com> wrote in message
>news:un7ja1hqsj54rvpnndfr1v1hjijo1e3o4o@4ax.com...
>> Does anyone know how to prohibit computers from connecting to a
>> Windows 2003 Server share unless the system they are connecting from
>> is a member of the domain.
>>
>> I a few "power users" and developers who keep removing their systems
>> from the domain, and just connecting to the server by browsing and
>> using their domain credentials. These users need to be able to add
>> computers to the domain, as they reinstall Windows often to test stuff
>> on a clean machines.
>>
>> If I don't allow them to connect to the file server unless their
>> system is a part of the domain, that will solve the problem.
>>
>> I feel that this should be such an obvious thing to do, but I have yet
>> to see any information on how to do this.
>>
>> Kevin
>>
>


Require connecting systems to be a Domain Computers