none
Protect Domain Users to Access Files After Log On To Other Computer

    Question


  • Suppose I have 100 users in my domain. So 100 users have their different computer and user name/password. Hence, every user can log on to their computer as well as log on to any computer in the domain. So, there is an issue of security. Like, if A log on to B’s computer with A’s credentials (both users are Domain User), then A will be able to access B’s Files, Drives with read/wright permission. It should not happen. Here, I want to set permission to all users that if someone log on to other computer with his/her credential, then he/she cannot access files, folders etc. of other. So how to set permission through GP.

    Sk Sabbir Ali

    Monday, December 31, 2012 4:28 PM

Answers

  • It is possible to set permissions using a startup script initiated by a GPO, but even if this solves the part about setting permissions you will still have a couple of issues:

    1 - You need to feed the script some information about which computer belongs to which user. How is ownership established and registered?

    2 - By making drives like D: and E: available to one user only you will of course make them unavailable to others. Is this ok, and can it cause other issues?

    3 - Are the drive letters equal on all your computers? If not you may end up disabling the wrong drive(s) on some.

    My suggestion is to use Microsoft's intended file location which is in each user's profile. The locations you mention are not intended for personal files, hence there is no standard way of treating them as such.

    Tuesday, January 01, 2013 11:56 AM
  • Sk Sabbir Ali >> give me a concrete solution.

    I agree with Eirik Hamer's suggestion.

    Technically it's possible to restrict particular user or group of users to certain or a bunch of computers. That being said, a lot of work and effort is needed to accomplish that task especially in your scenario !. There is no easy way.

    Please see following discussions for the details.

    Restrict users to logon on the particular computer

    Restrict certain users from login on certain computers

    If protecting users files is your utmost concern, you might want to explore the possibility of implementing EFS or bitlocker as appropriate.Thanks


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.

    Tuesday, January 01, 2013 7:22 PM

All replies

  • If user A logs on to user B's computer then user A will not see user B's documents as long as user B keeps them in his/her profile (My documents).

    If user B was to put some documents in a non standard folder, like C:\BsOddFolder, then it would still be really hard to deny A permissions to it by using GPOs. User B should set his/her own permissions when creating the folder.

    Monday, December 31, 2012 4:47 PM
  • Hey, its a funny answer you know. I have almost 300 PCs and you are saying that it has to set permission for each computer individually. Is it possible? give me a concrete solution. In A's computer, A can do everything with his/her files when he will log on to his/her computer. If B log on to A's Computer with his/her computer then how can B access A's confidential files? B can delete or Copy of A' files. I want a policy which I can set through Group Policy for all users.

    Sk Sabbir Ali

    Tuesday, January 01, 2013 4:27 AM
  • Hey, its a funny answer you know. I have almost 300 PCs and you are saying that it has to set permission for each computer individually. Is it possible? give me a concrete solution. In A's computer, A can do everything with his/her files when he will log on to his/her computer. If B log on to A's Computer with his/her computer then how can B access A's confidential files? B can delete or Copy of A' files. I want a policy which I can set through Group Policy for all users.

    Sk Sabbir Ali

    Hi,

    If B log on to A's Computer with his/her computer then B cannot access A's confidential files if they stored in his my document or desktop or a folder which A has created.  You only need NTS as the file system on you drives ( C:\ or D:\ ..etc)

    B can delete or Copy of A' files.

    No B cannot delete A 's files if they are stored in ,again  A profile folders (my documents, desktop etc),if you are using NTFS as file system with profiles created for every user A or B.

    I hope this solves your problem.



    Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Waqas

    MS(SPM), MS(E&F), MCP, MCT, MCTS, MCITP, MCSE, MCPD, MCSD, MCDBA , Author
    Twitter: @waqas8777
    Linked In: http://www.linkedin.com/in/waqasmahmood1

    Tuesday, January 01, 2013 5:43 AM
  • I know that very well that nobody can access  My Document or Desktop except Administrators or the Particular User. Any other way to protect another folders or Drive (D:/, E:/)? 

    Sk Sabbir Ali

    Tuesday, January 01, 2013 8:02 AM
  • It is possible to set permissions using a startup script initiated by a GPO, but even if this solves the part about setting permissions you will still have a couple of issues:

    1 - You need to feed the script some information about which computer belongs to which user. How is ownership established and registered?

    2 - By making drives like D: and E: available to one user only you will of course make them unavailable to others. Is this ok, and can it cause other issues?

    3 - Are the drive letters equal on all your computers? If not you may end up disabling the wrong drive(s) on some.

    My suggestion is to use Microsoft's intended file location which is in each user's profile. The locations you mention are not intended for personal files, hence there is no standard way of treating them as such.

    Tuesday, January 01, 2013 11:56 AM
  • Sk Sabbir Ali >> give me a concrete solution.

    I agree with Eirik Hamer's suggestion.

    Technically it's possible to restrict particular user or group of users to certain or a bunch of computers. That being said, a lot of work and effort is needed to accomplish that task especially in your scenario !. There is no easy way.

    Please see following discussions for the details.

    Restrict users to logon on the particular computer

    Restrict certain users from login on certain computers

    If protecting users files is your utmost concern, you might want to explore the possibility of implementing EFS or bitlocker as appropriate.Thanks


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Whenever you see a helpful reply, click on Alternate Text Vote As Helpful & click on Alternate Text Mark As Answer if a post answers your question.

    Tuesday, January 01, 2013 7:22 PM