RE: [ActiveDir] Restricting a drive mapping to only from specific systems ( Limiting a computer account to specific workstations )

[Steve Linehan]

Well one way to accomplish it would be to use IPSEC in require mode and define a rule that only that workstation could contact it as well as any other systems you want to admin it from.  You could specify ESP Null so that you do not have the encryption overhead and simply use IPSEC for authorization.  I would suggest looking at the following White Papers:   Domain Isolation: http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx MSIT Security: http://www.microsoft.com/technet/itsolutions/msit/security/mssecbp.mspx (Look at the section on Source Code Server Segmentation as well as the table titled Data Class vs. Security Control Examples)   In a nutshell Microsoft secures its source code servers in the manner that you describe below using IPSEC.   Thanks,   -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, March 01, 2006 5:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restricting a drive mapping to only from specific systems ( Limiting a computer account to specific workstations ) Hi Everyone,   I have another requirement and I am not sure how I can do this. One of our Systems Engineers needs to restrict a user account from mapping a drive from any other system in the domain then from the system that we allow it to be logged in on.   In other words he does not want a user logged in with his or hers AD Account, then mapping a drive to the shared resource with the restricted account.   Is this possible? Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell   It seems that there is an upper limit of 1024 characters even in AD2K3 using ADUC.   http://msdn.microsoft.com/library/default.asp?url="">   But, I am told that you can use adsiedit to edit "userWorkstations" value to add more than 63 machines, though it is not Microsoft supported.     On 2/27/06, Medeiros, Jose <[EMAIL PROTECTED]> wrote: >  >  > Greetings, >  >  >  > A have quick question. I have a requirement to limit a single account to > logon to only specific systems (About 120). Although I have not tried this, > one of our Systems Administrators stated that he was limited to adding only > about 30. Does any one know if there is a work around? Has this number been > increased in Active Directory 2003? >  > Sincerely, >  > Jose Medeiros > MCP+I, MCSE, NT4 MCT > 408-765-0437 Direct > 408-449-6621 Cell