NT Access-Lists Tough One?

[Nightcrawler]

Hiya,

I have Cisco 6006 Cores and want to lock a vlan down - however still want the PCs to be able to logon to certain shares and the domain. I have done some reading but can't find a diffinitive answer - which I find surprise considering most people must be using NT4 and above.

This is what Im trying to do I have the domain server say on 10.0.0.0 nad my computer on say 10.0.1.0. but I want to lock this vlan right the way down so it can authenticate but no much else. (there will be a few other ports for service but in general).

I tried this access-list but dont seem to get any joy:
permit udp any eq netbios-ns 10.0.0.0 0.0.0.255 eq netbios-ns (219 matches)
permit udp any eq netbios-dgm 10.0.0.0 0.0.0.255 eq netbios-dgm (13 matches)

permit tcp any gt 1023 10.0.0.0 0.0.0.255 eq 139 (20 matches)
permit udp 10.0.0.0 0.0.0.255 eq netbios-dgm any eq netbios-dgm (13 matches)

permit udp 10.0.0.0 0.0.0.255 eq netbios-ns any eq netbios-ns (107 matches)
permit tcp 10.0.0.0 0.0.0.255 eq 139 any eq 139
permit tcp any eq 42 10.0.0.0 0.0.0.255 eq 42
deny ip any any (1727 matches)

as you can see im getting hits but still cant auth or join the domain. ANy ideas has anyone managed to do this ?? Whats the tightest option ?

Thanks for any help

Ed