General discussion


Forcing users & machines to authenticate

By williamoshea ·
I have posted this question before but a lot of the answers showed that the question was misunderstood. I want to be able to stop laptops that are non-domain members from having access to resources on the domain. At the moment any user with a username and password can plug in a laptop, obtain an IP from DHCP server and access a resource by entering domain\username then password, even though the pc he/she is logging in from is not a memeber of the domain. In one word I want to force not just users to authenticate but also machines.
I work in a Windows 2000 environment with Win2k pro and xp clients OS. I have fully implemented Group Policies. However some of the users of laptops have decided not to have their laptops added to the domain. SO WHAT THEY DO IS FIND ANY PATCHED CAT5 PORT, PLUG THEIR LAPTOPS IN, OBTAIN AN IP ADDRESS AND OFF THEY GO. IS THERE A WAY I COULD DENY THEIR LAPTOPS IP ADDRESS OR BETTER STILL STOP THEM FROM ACCESSING NETWORK RESOURCES UNLESS THEY ARE PROPERLY LOGGED ON TO THE NETWORK.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by p.j.hutchison In reply to Forcing users & machines ...

In DHCP, you can specify Mac Addresses of known laptops, to exclude them from getting a IP address and thus access to network. Of course, if they set a static ip address then that method cannot stop them, you could disable their account until all laptop users are updated to use the domain.

Collapse -

by ewgny In reply to Forcing users & machines ...

You can set up a certificate Authority and require that all Domain Computers authenticate with a "machine certificate" the Domain Workstations can receive their certificates through Group Policy Autoenrollment, wheras Non- Domain PC's will have to request a certificate, which would have to be approved before access is allowed

Collapse -

by haileyan In reply to Forcing users & machines ...

The other thing I would do is make sure that all of your shared resources (printers and shared folders) are restricted to Domain Users. By default all of your shares have "everyone" which means anyone con that subnet can access the shares. I never leave "everyone" in security on any shared network resource.

Collapse -

by williamoshea In reply to

Poster rated this answer.

Related Discussions

Related Forums