Restricting access to a file share to certain computers

20 pts.
Tags:
DC
Domain Controller
File Share Permissions
File Shares
NTFS
Shared folders
User Permissions
Windows Server 2003
Windows Server 2003 Domain Controller
Here is the scenario. I have a Windows server 2003 domain with two DC's. This is an educational environment with roughly 3,000 computers and 30,000 users. Students are logging in with their own unique credentials. My issue is that there are multiple computer labs that need a share configured to allow only computers in that lab to access it, regardless of which user is logged in. For example, the graphics lab wants a share to distribute files to the students and store stock images and whatnot. The only people that need to access that share are the students in a graphics course, and only when they are in that lab. I could add all the graphics students to a a group and grant that group access to the share, but managing the group membership would be a nightmare! This would also not prevent them from accessing it when they are not logged in from the lab. I have done a tremendous amount of research on this issue and so far I have not come up with an answer. Most of what I have read says what I want to do is not possible, but it seems like this scenario would come up often. If it is not possible, then I need a workaround so hopefully everyone here can help me out. Any ideas?

Answer Wiki

Thanks. We'll let you know when a new response is added.

What about setting up a network just within the lab which is only accessible from lab computers? That would solve the problem for you. Install a file server on that network and computers not on the network cannot access it.
====================
Another option might be to create a VLAN for each lab. Setup a firewall to permit only file services to clients on that VLAN. The issue would be that some of the AD services use the same ports as the file services (139, 445) and would have to be permitted between the DC’s and the file server(s).

********************
How about using the computers as the group. Either standard AD security group with computer names as members, or create an OU with computers with corresponding Group policy with the appropriate login script. I am not sure if you use login scripts at the OU / group policy level or just at the user level.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Siliconron
    Adding another server would work, but if at all possible I would like to use one of the domain controllers. I have 10TB of storage on one of the DC's that can be used. I also do not have any spare servers, let alone one with over a terabyte of drive space. One idea is to set up a virtual server on the domain controller and use that as a file server, but I'm not sure that I would like to add all that overhead.
    20 pointsBadges:
    report
  • Siliconron
    [...] unknown wrote an interesting post today onHere’s a quick excerptHere is the scenario. I have a Windows server 2003 domain with two DC’s. This is an educational environment with roughly 3000 computers and 30000 users. Students are logging in with their own unique credentials. [...]
    0 pointsBadges:
    report
  • SlavetoIT
    Why not just add the computers accounts to the share folder security, that way the computers in the lab would have access to the share but other computers outside of lab wouldnt?
    10 pointsBadges:
    report
  • Kulasterol
    I have a similar problem and I tried adding computer accounts or group account (propagated by computers in that specific location) to the share folder security, with full access rights, but still can't get it to work. It works when I use user or user-based group accounts.
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following