I'm relatively new to Sys Admin and there is this requirement.. or at least, the talk of a requirement whereby we restrict access to certain folders for a particular set of computers (an OU on our domain that contains a room of PCs). I just don't know if this is possible on active directory. I get the feeling that file system permissions are only designed for user/group mapping and can't figure out how i might go about trying to stop users from modifying these files except in this room (AD container) on these PCs.
Is this possible? Any suggestions are welcome (no matter how left-field).
EDIT: more info is needed it seems…
I'm at a school. The server share that i'm applying permissions to contains files that are used for school reporting functions. I have a series of security groups applied to the share such that the appropriate administrative staff can access the files how they need to and faculty staff can do the same.
In addition to the requirements satisfied in the implementation above, management wants the faculty staff to make changes to these files only in a particular room (such that they can be 'supervised' i believe). I have the AD containers set up for the PCs in this room – i was hoping that there was a group policy solution to this permission predicament.
Best Answer
This is one of those interesting areas that don't fit a use-case that Microsoft thought of with the Windows operating system.
NTFS permissions don't have any functionality related to assigning permission based on the computer that's accessing, other than a very gross approximation using the "INTERACTIVE" or "NETWORK" well-known security identifiers (SIDs). The user accessing the particular resource is used in the access-control decision, irrespective of the computer from which the access attempt was sourced.
If you want a "fix" based on Group Policy, I'll suggest an ugly workaround. It's sub-optimal, but it will accomplish what you're looking for. (This is very quick and dirty. In particular, it's really not good form to stick GPOs at the top of the domain indiscriminately, because in general you want the smallest number of GPOs to apply to a given computer or user to speed the application of Group Policy.)
Create a global security group named, say, "Sensitive Computer Accounts" in the Active Directory. Make all the computer accounts where "Sensitive" access will be performed members of this group.
Create a global security group named, say, "Sensitive User Accounts" in the Active Directory.
Create secondary user accounts in Active Directory for all the people who will be performing the "sensitive" activities. Make all these user accounts members of the "Sensitive User Accounts" group.
Create and link a GPO at the top of the Active Directory called "Restrict Sensitive User Account Logons". In this GPO, head into "Computer Configuration", "Windows Settings", "Local Policies", and "User Rights Assignment". Locate the "Deny logon locally" (and, if you are so inclined and paranoid, the "Deny logon as a service", and "Deny logon as a batch job") setting and add the "DOMAIN\Sensitive User Accounts" group to the setting. (This assumes that you're not using any of these policies presently at lower levels of the AD. In a stock Active Directory in W2K-W2K8 this would be true.)
Modify the permissions of the "Restrict Sensitive User Account Logons" GPO by adding the "Sensitive Computer Accounts" group with "Deny / Apply Group Policy" permission.
Apply NTFS permissions to the folders where the "Sensitive" files are stored to allow only members of the "Sensitive User Accounts" group access. (This is an exercise left up to the poster...)
This will cause the "Sensitive User Accounts" to be able to logon locally only to the computers that are named in the "Sensitive Computer Accounts" group. In this way you can prevent access to the folders holding the "Sensitive" files, because you'll set the permissions to limit access to these folders only to the "Sensitive User Accounts" (which can only logon to the "Sensitive Computer Accounts" computers.)
Having secondary accounts for users is really, really ugly. Since you want to do something that Microsoft hasn't designed the operating system for, however, you've got to do something ugly to get around the inbuilt limitations.
Another, still potentially ugly but workable solution, would be to host these shared folders with a Samba server. Samba, using the "hosts allow" configuration parameter, does have a mechanism to limit access to shared folders based on both the user's permission and the source computer from which the access is coming. If you're not into having a *nix-based server sitting around (virtually, possibly) though, this alternative does you little good.