General discussion


Allow ONLY domain computers to connect

By Andrew Cooke ·
I thought one of the reasons for having computer accounts in the domain was that this was required to login to network resources.

So can anyone tell me how to prevent the following problem.

1) User brings personal laptop from home running XP
2) User already have a valid domain user account
3) User logs into personal laptop using local username and password
4) User types name of unc path.
5) Screen prompts for credentials
6) User types domainname\username and password

They can then access the F/P server from an unauthorised computer, bypassing domain login scripts and all security I have in place

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Allow ONLY domain compute ...

I'll assume you are running Active Directory. You can limit that particular user to log in only on a particularly assigned computer via log on scripts and Group Policy.

Collapse -

by CG IT In reply to

for limiting users to a particular computer using active directory, open active directory users and computer. click on the account tab, click on the "Log On To" button just below the "user logon name" [pre windows 2000]. This pulls up the Logon Workstations properties sheet. Here is where you specify what computers a user can log on to.

Collapse -

by CG IT In reply to

I need to clarify. In active directory users and computer, in the left pane highlight users, in the right pane double click the user you wish to limit logon to a particular computer. Click the account tab. In the middle of the users account properties page you'll see Logon Hours button and a Log On to button, click the Log on To button. Here is where you specify a particular computer that the user can log on to.

Collapse -

by Arne.Tredal In reply to Allow ONLY domain compute ...

You can block this using port authorisation. The machine will then have to identify itself to the switchport through PEAP or a machine certificate. The switch will then check if the machine has a valid machineaccount in active directory using RADIUS on an ISA server.
Unauthorised machines will not be given network access on the switch.

Collapse -

by miotti In reply to Allow ONLY domain compute ...

An even easier way to do that is when you set up the user account in the Active Directory.

As you are inserting the info on your particular client there is an option on the: "Active Directory/User/Properties/Account - in there you'll see a button which says: "initiate session in...". Right there you can lock the user account to only log on into the domain from that specific machine.


Collapse -

by Andrew Cooke In reply to Allow ONLY domain compute ...

Thanks for the replies so far.

I thought I would respond to them all first
Sorry for not posting much background information. I do have a Windows2000 domain. I have a mix of NT and 2k machines in my domain.

Reply (1)
I have over 1000 workstation and 1700 users, not really practical to restrict users to computers.

Even if I wrote a script to export computer names from the domain and imported it to each persons account information, the domain is very dynamtic with new computers being introduced all the time. A better way would be to restrict to OU level, but assuming this could be done I don't this I could apply it beause of the mixed NT/2k environment I have.

Reply (2)
Sounds VERY interesting, need to investigate that more

Reply (3)
Also sounds interesting but I cannot find the "initiate sessions" button ?

Collapse -

by abubin In reply to Allow ONLY domain compute ...

I think the person in number (3) is referring to "Log on to.." button. This allows you to specify only the machine that a person is allowed to logon the domain. This you will have to do manually for each person you try to limit access. If you only have a few person you want to restrict then simple job. But if you want to limit for everyone in the domain then it will be tedious. But then again, if you are managing over 1000 clients, you will have at least over 5-10 person doing this. Don't tell me you are alone maintaining 1000 clients. You are not superman you know....

And the next time you create a user account you can then specify exactly the PC he/she can logon.

As far as I know (thinking logically), there is no other way to do this better. The domain server would not know if you are logging in from homePC or office PC if the user gave them the same credentials and if the server does not know which PC is office PC for this user, right?

P/S. i am not suprised if there's other method...anything is possible....

Collapse -

by Tictag In reply to Allow ONLY domain compute ...

Other things to consider:

1. IP Security. You could deploy a certificate infrastructure and secure all server/client communications to computers with a valid machine certificate. Might be a bit of a headache to start with but it would certainly stop unauthorised access. Win2k server can do this out of the box.
Note: Only administrators can add machine certificates.
2. User policy. There are far more configurable settings with the User Configuration side of group policy, including logon scripts. There is nothing stopping these settings being applied when the user logs on.
3. Secure resources1. You could secure resources (including the ?Access this computer from the network? right) to members of a security group that contains all the authorised computer account objects.
4. Secure resources2. You could secure resources using the Authenticated Users built in group. This would prevent client/client sharing because either the computer or the user would have had to log onto a domain account.
5. Script. You could create a logon script that checks whether or not the computer account exists in Active Directory, if not it simply logs the user off.


Collapse -

by Andrew Cooke In reply to Allow ONLY domain compute ...

I think I'm getting nearer an answer from the last person who replied.

I do not wish to rollout a certificate to computers yet. But good option if I had Win2k all round

The option about checking during logon to see if their computer name is in the domain is a good idea. Already have that in place, but as I mentioned in the original question its not them logining into the machine at startup thats my problem. It client to client that of course bypasses the login script process.

However the option about "Restrict access to this computer from...." I did originally look at, however when I browsed through the list to see if I could choose an OU to restrict this right to it did not display any. I have just tried again. But this time I typed in the name of the OU and pressed check. And guess what it found it !!

I will test tommorow, but if that works I've found the answer

Related Discussions

Related Forums