VPN users have full access

[David Armstrong]

I have some users on our very small network (Win 2000
Server with IAS for the gateway, and Win 2003 server
behind for all other services) who only access our
network by VPN.
The users have dial-in access enabled in AD (although
they will actually connect over the internet) and they
are not even members of the domain users group - just a
new group that only has rights to one share.
However connecting to the VPN as these users gives me
full access to all directories and files on the network
even if I explicitly deny access. Help! Any ideas
appreciated!

 

[Ozone]

When the user logs in, use a prog that will show the group membership for
that login. Some use the SID and others use login name... You may see that
they are part of a dial-in group or a default group that is giving them more
access rights. Also, use an ACL dump prog to check the ACL's on the
directories and files in question to see who actually has access to them...

HTH
Ozone

 

[Steven Umbach]

Maybe they are not authenticating as you think. When they are connected to the
share that they should not have access, look in Computer Management/shared
folders/sessions to see how they are connected. Keep in mind that you can use
Remote Access Policies in ras to create input/output filters to restrict access
to lan computers based on IP address. --- Steve