you could ensure that your folks on the LAN authenticate via Kerberos, and the remote users are forced to use NTLM => this would then allow you to set ACLs based on the protocol used to authenticate (i.e. deny access to users authenticating via NTLM - possible with Win2003)
/Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, November 22, 2004 9:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Controlling access to AD based on the network tec hnology used Can you give some more information about the proposed solution? For example, should a VPN user only have access to certain applications? Should it be different access in the same applications? Information like that would be useful here. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika Seitsonen Sent: Monday, November 22, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Controlling access to AD based on the network technology used Any ideas on how to control access to data based on network technology that is used to access AD. I.e. if the user is on the LAN versus when she is accessing the directory via VPN/dial-up or Web. She should have different level/authority to view and modify data stored in the AD when being attached to the LAN. I can't really think of anything else but establishing different forests/ADAMs and synchronizing the content. Alternatively, the control and different view of data should be programmed into a web application. Mika --- http://www.kouti.com <http://www.kouti.com/> List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/