Using computer names in NTFS folder permissions

  • Thread starter Thread starter Adam
  • Start date Start date
A

Adam

I have a situation where I want to share a folder for a specific person,
but I dont want them to be able to access it from a specific computer. So
the logical assumption for me would be to add the computer name and deny
all access to that folder for that computer. However, the person is still
able to access the folder from that computer. Am I trying to go about this
the wrong way? Please advise if you can.
 
NTFS permissions work on user accounts not computer objects.

The only way I see to do this would be to have a switch that you can define
what services specific ports on the switch can use.

I'm not sure of another way to do that.

hth
DDS W 2k MVP MCSE
 
microsoft.public.win2000.security news group, Danny Sanders
NTFS permissions work on user accounts not computer objects.
Click to expand...

This is not true. NTFS permissions work for user, group, and computer
accounts. Which permissions apply depend on the security context of the
process that is being used to access the file or folder.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
 
This is not true. NTFS permissions work for user, group, and computer
accounts. Which permissions apply depend on the security context of the
process that is being used to access the file or folder.
Click to expand...

Learn something new every day. I was not aware you could use NTFS
permissions to restrict a computers access to a file or folder.

Of course I've never tried it either.



DDS
 
microsoft.public.win2000.security news group, Adam
So, how do I do this then?
Click to expand...

You can't do what you're trying to do with NTFS or share permissions as
the access of the files occurs in a process that is running in the
user's security context.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
 
The only reasonably workable way we have worked out for
scenarios similar to what you outline is to use network access
control, such as IPsec, to disallow the machine from ALL
communication with the sharing-out machine.
The user is still able to access the share, but not from the
disallowed machine (from which no account is allowed).
 
Danny,
Perhaps if you think of it this way.
NTFS access check is just looking through a list of SIDs and
comparing to SIDs in the token of the process. Whether a
SID (aka a principal) represents any of the categories Paul
has listed is not checked.
Roger
 
Back
Top