Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computers in a group not able to access a file


  • Please log in to reply
12 replies to this topic

#1 seg42

seg42

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 24 April 2014 - 09:41 AM

Using Server 2008 R2

 

I created a group in Active Directory that has several computers in it, and gave that group access to a file. None of the computers in that group can access it. I tried creating a different group using the users of those computers, and then they had access to the file. All are members of the domain. 

 

I know I'm missing something to make this work, but I'm not even sure where to start. This has to work by computer, not user, so I would appreciate any help.

 

Thanks



BC AdBot (Login to Remove)

 


m

#2 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:10:24 PM

Posted 24 April 2014 - 05:07 PM

If users are initiating access of the file (in Windows Explorer or a batch file clicked by a user for example), then as explorer is running in the users context, and their credentials (or more exactly their SID and the SIDs of security groups to which thy belong) will be used. the computer account does not come into that equation.

The computer account would have effect if a process running as LocalSystem initiated the access (for example Group policy processing Group policy software installation and reading the installtion files from a share).

So basically as the users are initiating the operation, their security is used.

Can you tell us more about your application?

X64

#3 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 28 April 2014 - 07:57 AM

I'm not describing this well, so here's the scenario:

 

There is a file on the server that security-wise has full permissions given to security group "A". This group is defined by Active Directory as a half dozen individual Computers from within the domain. According the Active Directory Cookbook, a Computer is treated in this case the same as a User (this may not be the case in reality, but this is what I'm going by.) 

 

When a domain User logs into one of the six Computers and tries to access that file, they are denied access.

 

I created a second security group, "B", and instead of Computers, I used Users, and group A was able to access.

 

I need to get the file so only group A can access it, since those computers will be in an isolated area. I cannot restrict Users to only those computers because they have to be able to work on other machines, but not access that data.



#4 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:10:24 PM

Posted 28 April 2014 - 12:43 PM

... a Computer is treated in this case the same as a User ....

Whilst that is true to a certain degree, it doesn't mean what you think it means.

 

Within a modern windows computer everything runs as particular windows accounts. Background processes that keep the computer winning (the operating system for instance), might run as a windows or AD account that refers to the computer (and anything, that process does, is dome with the permissions of the computer (your group A)

 

When a user logs on, an environment is created running as the windows or AD account belonging to user, and anything that the  user does (runs a program etc) runs with the permissions of the user account (your group B).

 

If the user launches the application accessing your file, only the group B permissions will apply, as the USER launched the file.

 

Whilst there might be ways to frig the computer to open the file, this would not be easy to arrange, and likely not be something which is otherwise secure. So as welcoming as that idea sounds, discard it.

 

In short - basic Windows /AD permissions cannot do what you want,s owe need to explore other avenues.

 

For example, could the file be bought locally onto the PC? (and if so how frequently would it need to be updated?) or is live shared access necessary. If This sound feasible then something like a loopback group policy might help.

 

x64



#5 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 28 April 2014 - 01:00 PM

The file has to be live shares.

 

Mainly what we are trying to accomplish is, for people to be able to access these shared files only through authorized in office PCs. Using just the user credentials allows them to not only access them from any PC in the office, but also gives them access through personal machines over the VPN and RDT.

 

Any thoughts on how to make this work would be appreciated. I'm basically a PC tech with a pile of books, so I'm a little out of my league. :)



#6 yug

yug

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 16 May 2014 - 11:04 AM

Try looking up the "Active Directory Rights Management Service" feature, it is primarily user-permission based (as opposed to computer); but it's purpose is to protect sensitive data leak etc.



#7 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 19 May 2014 - 07:44 AM

I can't use strictly user based login because it doesn't prevent someone from logging in from machines they aren't supposed to.

 

I have a very round about solution for the time being. We created a secondary profile for the users that are limited to certain computers in active directory, and then created a script that creates a non-persistent mapping to the secured files. The script requests the new credentials and they have access to the files while they are logged in. It's imperfect, since for two of the users we are having to depend on the honor system and them remembering that they aren't supposed to access those files outside the office, but it's the best I can come up with that meets all the requirements we were given.



#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:24 AM

Posted 20 May 2014 - 01:10 AM

If it has to be computer/machine based security. I would then create an OU and add the said machines to that and apply a GPO based on computer being a member of the OU.

It shouldnt matter what user is using it then but i have never had to do it this way.



#9 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 20 May 2014 - 07:43 AM

I did try that, but it didn't work. The user would log into a machine with permission, but they wouldn't be able to access the share. The user permissions trump the machine permission (thanks for you help on figuring that out, X64 :) )

 

Besides, I can't have just any user be able to use this share. Everyone in the office at the moment can get to these machines, and might log onto them.



#10 nettechindia

nettechindia

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 01 June 2014 - 03:23 AM

Some times such issue happens due to lot of connections or due to even security issues also.



#11 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 02 June 2014 - 07:48 AM

I'm sorry, I'm not sure I follow you. Which issue are you speaking of in particular?



#12 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 24 June 2014 - 02:06 AM

Adding the users to the share works, but the groups don't. I am guessing it has to do with the inherited permissions from the parent directory.



#13 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 24 June 2014 - 08:34 AM

It's not the users in groups that are the issues. The users work just fine. It's using the computer names that doesn't work.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users