Question:
How do I make a domain unaccessable for computers on a network that share the same lan connection?
Inshii
2007-05-16 19:04:11 UTC
I have a domain setup with MS Server2000 that all of the computers in our company are part of. I need to have a certain number of computers removed from the domain so that everything within the domain is unaccessable from those computers while they still work within the building.
I created a separate workgroup and added those few computers to it so that they can share files between them but not with the rest of the company and not with the domain. The problem is is that because they are within the building and on the same lan - when they are on the workgroup they can still access the folders on the domain through My Network Places and map drives to those folders (some are shared).
How can I set the server/domain so that everybody outside of the domain cannot access any folder or file residing on the domain itself? So... how do i make DOMAIN-A unaccessble by any computer outside of DOMAIN-A or at least by any computer on WORKGROUP-B?
Four answers:
VinceY
2007-05-16 19:56:32 UTC
1. Create user groups for your users. eg. Finance, Production, Sales, etc.. Don't forget the SysAdmin group with administrator rights



2. Assign users to the individual groups.



3. For the folders that are to be shared, make sure the sharing assigns only those user groups that have rights to those folders.



4. Create user accounts for even those people who are not supposed to access the domain shares, but do not assign them to any user group that has rights to access any of the domain folders.



5. Remove 'Everyone' user group from the folder shares.



You now have valid users assigned to user groups that are able to access folders they are supposed to. You also have invalid users who are not assigned to user groups, but belong to the 'Everyone' group, and they cannot access any folders within the domain. You now also have a way to log all the users (valid or invalid) when they login to the domain.
toolsmcd
2007-05-16 19:24:13 UTC
When you set up the directories to be saved on the server, look at the permissions for each share. If you give any permissions to the Everyone group, anyone able to access the LAN will be able to see and manipulate the files in the share.



You are going to have to set up the groups you want to use the share, and disable any permissions on the Everyone group.



WARNING!!!! you must be very careful to make sure you have admin rights and access to the share prior to removing the Everyone permissions or you may loose access to everything in the folder.



This is something you want to test on an empty folder, or a test folder first. Failure to do so will cause much pain and anguish.



If you do this right, you will be able to have said computers as a part of the domain, and still have the access rights, or lack there of, that you require. Also, you can do this on a computer to computer basis, or better yet, a user basis, so no matter what computer said user is logged into, he will only have the rights you assign him.
2007-05-16 19:34:44 UTC
For a start you can use security to control who can access what. From the sound of it your security is non-existant or anyone outside the domain would have no access. If you restrict access to domain groups or users you then have full control over what is accessible. As you are if one machine suffers a break-in your server is compromised.
?
2016-10-05 09:25:39 UTC
IP's are no longer probably assigned to desktops persay... they are assigned to community contraptions. If a working laptop or workstation has different community contraptions, it in essence has different IP's via the type you're thinking of it. in any case, the two desktops could have different IP's assigned to their prompt community card contraptions, yet via way a community works with cyber web connection sharing (this is, desktops make requests to the router and then the router sends request and is fairly in basic terms passing messages returned and forth between the internet and desktops on community), all desktops on your community would be seen as having an analogous IP on the information superhighway. this would possibly not usually reason problems however, for a undeniable factor that i won't be able to describe cuz i'm no expert in workstation networking lol.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...