My company is using Windows Server 2008 R2 for domain controller and file sharing, and all client computers have Windows 7 Professional installed. Some of the client computers are added to the domain, intended for accessing the share resources to cooperate, while other client computers are not added to the domain for other uses. And the domain computers are restricted from internet by firewall software. Each of the employees has his own domain user account+password, and when he logs onto a domain client computer, he can access the shared files (e.g. \domain_ip_address\folder_sharename)by "map network drive" or "add a network location", with his own permissions specified on the server.
As to the permission configurations, as far as I understand, share permissions and NTFS permissions work together to determine the outcome permissions: the more restrictive ones take effects. So I, just as common advice goes, gave the folder the share permissions Everyone: Full Control and respective NTFS permissions for each domain user account.
All seemed to go very well. And I had thought wrongly that if a computer was not added to the domain, it could absolutely not access the domain share resources.
Several days ago, on a non-domain computer, I tried "map network drive" and "add a network location", I was prompted to input credentials, and I provided one of the domain user accounts in the form "domain_name\domain_user_account"+"password", and I accessed the share folder successfully, and I was shocked.
My objective is to only allow computers added to the domain to access domain share resources. Then, in the share permissions setup of the folder, I deleted Everyone: Full Control, and added Domain Computers: Full Control. But the result is: Even on domain computers, domain user accounts cannot access it, even the domain user accounts who have full control NTFS permssions.
My questions:
1.Could anyone tell me why I got this unexpected (at least to me) result? i.e: Why do the share permissions Domain Computers: Full Control prevent even domain users with full control NTFS permissions using domain computers from accessing the share resources? Has anyone ever used Domain Computers in the share or NTFS permissions successfully?
2.How can I improve? I do not hope a big surgery on my current server setup.
———————update 2015-10-28——————————————-
Let me provide more details on the setup of my 2 servers. Frankly speaking, I'm not an IT expert, and the 2 servers were built up by my friend. They were both installed with Windows Server 2008 R2.
The 1st one, say server_A, acts as domain controller, DHCP server, and stores the files for sharing.
The 2nd one, say server_B, acts as DNS server, and is installed with Threat Management Gateway 2010 (TMG2010) mainly to control which client device can access internet.
Best Answer
File Share are validated in user space, not computer space.
Thus any computer entry you enter there are ignored, but as no user got access to the share, as you left only domain computer, that mean no one can access the share. (as like i told, computer account are ignored in file share)
Why its done that way ? Each file are owned by the users, not the computer. Its by design. As imagine how you would audit who did what ? It would be impossible (like for applying in example SOX404)
Its important to put strong password on each user account.
On the other hand, you can restrict the dhcp, switch with some control to be sure only domain joined can get an ip. As your risk are a lot more worse than what you told, as if a infected computer just got plugged in your lan, even without any share open, the damage will be a lot worse.
So the final tip, control what is plugged and even inspect your dhcp to be sure no rogue gear are connected and if you need to give access to non domain joined computer, then think to another vlan for guest.