LaboEdu Posted June 6, 2007 Share Posted June 6, 2007 Hello,We are using on desktops WinXP(SP2) with the most recent updates available, all part of the same Active Directory Forest/Domain, and are trying to give access to a share resource on a member server for specific Computer object or a group(Local or Global or Universal) of Computer objects, but have been unable. When we include User objects in the same group(s), it does grant access with no problems.Thanks in advance. Link to comment Share on other sites More sharing options...
Colonel Posted June 9, 2007 Share Posted June 9, 2007 From what I understand, you want to grant <everyone> access to <some shared resource>, but only originating from <a workstation> in <a group of workstations>. As far as I know, this is not possible using security groups and computer objects. When you grant permission to a computer object, you are actually granting the permission to 'Domain\HostName$', aka the Local System account for that machine, not the logged on user.I can't think of an easy way to do this, but I'll let you know if I come up with anything. Link to comment Share on other sites More sharing options...
cluberti Posted June 9, 2007 Share Posted June 9, 2007 We are using on desktops WinXP(SP2) with the most recent updates available, all part of the same Active Directory Forest/Domain, and are trying to give access to a share resource on a member server for specific Computer object or a group(Local or Global or Universal) of Computer objects, but have been unable. When we include User objects in the same group(s), it does grant access with no problems.Giving a local computer account access only affects the LocalSystem account on the machine, not the logged-on user (they're two different tokens) - so unless you're accessing resources on behalf of the LocalSystem account (and from inference of the question you're asking, you aren't), it won't do what you want it to do.You either assign a user permissions to a resource, or you don't. There aren't any conditional settings, either they have access or they do not.The real question is why you want to do this in the first place, because there may be a way to do what you want, if we know what it is you're really after. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now