Restricting Access to Shares by Machine as well as User?

[humbletech99]

I have Windows 2003 servers in an Active Directory 2003 domain on I currently restrict access to shares by group memberships. I want to know if it is also possible to restrict access to shares such that an authorized user can only access the share from a designated machine as well?

My first thought was firewalling but the servers each have multiple shares so I have to let most hosts access the server by TCP/IP and firewall rules are not an option.

Although the users are currently restricted by their group memberships, it would be nice to also say that user X can only access this share when authenticated from machineY.

Can this be done in standard M$ ntfs/share permissions using AD?

 

[drew1701d]

Do you have your machines broken out into OU's? you could accomplish it that way, permitting machines in a specific OU permission to map that share.

Group Policy is also another possibility, to limit share from being seeing except from within a specific OU group policy.

"I'm certifiable, not certified. It just means my answers are from experience...not a book

 

[humbletech99]

how can you limit a share from being see except by users of a certain OU? I have never seen that done.

 

[drew1701d]

I use the OU's for organizational purposes and have group memberships which certain metro area workstations are members of, so a west coast workstation will not be allowed to map a share on an east coast server even if the user is allowed to map it.

"I'm certifiable, not certified. It just means my answers are from experience...not a book

 

[humbletech99]

does that not mean that any user sitting at one of the metro area workstations will be able to access the share?

I do not want authentication by workstation, I want authentication by user but limited to being authorized when on the correct workstations to add an extra layer in case an account is compromised, you'd still have to be at one of the right workstations to access the data...