Restricting files from certain computers

[GOSCO]

Im trying to prevent certain machines from accessing shared files or folders.

I have a machine called laptop which is joined to the domain contoso.com.

On the domain controller I have a shared folder called dell and I have removed all permissions other than the computer object "laptop". Why is access to this shared folder denied?

My understanding is that computers are considered the same as users to windows 2003. If I add domain users to the folder then I can access no problem.

Can anyone shed any light???

 

[Davetoo]

Access to shares are done at the user level.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[GOSCO]

Oh. Does that apply to all folders whether shared or not?

 

[Davetoo]

Well, if a folder isn't shared, then obviously no, it doesn't apply to that folder.

Or perhaps I'm not understanding your issue. I read it that you're trying to limit a share to be accessible from a specific computer and not from a specific user or users. Shares are setup based upon the users, not based upon the computers.

Unless I missed something along the way.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[GOSCO]

I was reading extract below from the 70-290 training kit and was just trying to replicate the scenario without success. When you said access to shares is on the user level that made sense as that is what seems to happen!


New Security Principals
Windows Server 2003, unlike Windows NT 4, allows you to add computers or groups of computers to an ACL, thereby adding flexibility to control resource access based on the client computer, regardless of the user who attempts access. For example, youmight want to provide a public computer in the employee lounge but prevent amanager from exposing sensitive data during his or her lunch break. By adding thecomputer to ACLs and denying access permission, the manager who can access sensitive data from his or her desktop is prevented from accessing it from the lounge.

 

[Davetoo]

Well, hadn't run into that yet.

From what you've posted, you need to put the computer that you don't want anyone to be able to access a share from into the ACL and set it to Deny. Deny overrides any other allows.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[GOSCO]

Ok I gave tried that as well.

On the machine 'server01' I create a folder called 'DELL' I change the permissions on this folder to deny access from object 'server01' I get the warnings about deny permissions overding allow etc. But still I can access this folder from 'server01'

It does seem that user permissions overide the deny permissions of the computer object!

 

[Davetoo]

Try denying "workstation1" and then trying to access it from "workstation1". You might have an issue since your trying to deny the host system.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[58sniper]

You can access it because you're accessing it with the user credentials.

Machine credentials are important for things like GPO based installations that happen at boot. The machine needs access to those because it's installing before a user logs on.

Pat Richard
Microsoft Exchange MVP

 

[GOSCO]

You can access it because you're accessing it with the user credentials."

I shouldn't be because as Davetoo mentioned deny overides any other allows.

"Machine credentials are important for things like GPO based installations that happen at boot"

On what basis do you say that? Take a look at the Microsoft training example I posted.

 

[Davetoo]

The whole machine as a user aspect is one I haven't had time to play with in my test environment yet. But, according to what you posted, it should prevent it...but that's why I want you to test it from machine to machine instead of on the host.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[GOSCO]

Hi Davetoo, I did as you said and its does exactly the same on an XP machine.

Have you seen the "Effective permission" Tab in the advanced Tab. If you are familiar with this when I put the computer name in it does indicate that the folder should NOT be accessible???

Im wandering is ots got something to with teh fact that I have a Eval copy of 2003?

 

[sutors]

>>Have you seen the "Effective permission" Tab in the
>>advanced Tab. If you are familiar with this when I put
>>the computer name in it does indicate that the folder
>>should NOT be accessible???

This is correct because you are putting computer name there, hence it will show you that the computer will not have access to that share.

>>Im wandering is ots got something to with teh fact that I have a Eval copy of 2003?
Simple answer: No. The functinality is the same in eval and full version.

As stated before, you are accessing share using user's credentials, that's why you can access it.

To demonstrate above microsoft's example, try creating startup script that maps drive letter to that share, then attempt accessing it. I bet you won't be able to, because that mapped drive will be using computer's creds.

Lukasz
MCSE 2K3, Microsoft SMEFS/FRS/DFSR