1

The Environment: One AD domain that is not managed by local admins (can’t edit, can’t add GPO, etc.) Users have accounts here. Call this AD alpha This AD Alpha has a trust to a local AD domain (Call this one Zeta) that local admins administer. Contains computer accounts. Has accessible network shares

Goal: Set permissions on AD Zeta’s network shared folders using AD Alpha’s user accounts and AD Zeta computer accounts for folder access.

Reason: To make sure that when a users using credentials from Alpha accesses a share on Zeta, they can only do so if they are also accessing that share from a machine they would normally use during working hours.

Example: User A logged in with computer A = grant access User A logged in with computer B= no access

User B logged in with computer B = grant access User B logged in with computer A= no access

Improve this question
2
  • This is a really interesting challenge! Few questions: DFL/FFL? What OS version are your DCs? Do these shares already exist? If so what OS and version are your file servers? Does it have to be native Windows only technology? (e.g. could you use a custom engineered SAMBA implementation?) Commented Jan 25, 2013 at 0:35
  • Why do you have to use AD for the solution? What about using separate VLANS. Cut the access to the server on VLAN B and allow access to server from VLAN A. Need some more info on how the shares are split. Commented Jan 25, 2013 at 5:11

1 Answer 1

Reset to default
1

I don't believe there's any way to do this as you describe with native tools. NTFS (and share) permissions are assigned to a user, not to the computer that a user's network session is coming from. You could use IPSec or Windows Firewall on your Zeta server to only allow CIFS traffic to come from computer A, but then no other computers could connect to Zeta at all.

I think you're primarily out of luck. And it would be a big pain if computer A was re-imaged or got a new dynamic IP address or was simply retired. Why are you scared of computer B? It would generally already need to be in domain Alpha. And since you're allowing all kinds of network traffic between the domains anyway (I assume that they share a LAN?), you're not really preventing anything by your planned scheme that you wouldn't be vulnerable to anyway.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.