deny logons from stations that haven't a computer account

  • Thread starter Thread starter user
  • Start date Start date
U

user

Hi,

is it possible to deny logons from stations that haven't a computer account
in an Active Directory Domain (for example stations in a workgroup) ?

many thanks

thomas
 
You could use an ipsec "require" policy on domain computers [other than domain
controllers] that would restrict access to domain only computers because by default
ipsec negotiation in a domain requires kerberos machine authentication. The downside
is that only W2K/XP Pro/W2003 domain computers are ipsec aware and older downlevel
clients will not be able to communicate with domain members that have a require
policy. Domain controllers can not engage in ipsec negotiation with domain members,
so if you look at ipsec you will have to exempt traffic to and from domain
controllers by their IP addresses. See the links below for more info on ipsec. ---
Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949
 
Back
Top