Segregate Workgroup PCs from Domain PCs

I work in a company full of knowlegable users with imaging tools (test
engineering) that often try to use their workgroup PC as their
production pc. Each user has a domain username/password. Is their any
way to restrict a workgroup pc from accessing domain shares? I was
thinking if there was a way to setup a different dhcp scope for
workgroup pcs I could just not setup DNS which would hide network
resources but I'm not sure that is possible. Another option was to
setup network share permissions using computer accounts (Domain
Computers) instead of users but that doesn't seem to work either. Any
ideas?

Hi Jim,

If you don't mind me asking -- what is your main reason for wanting to
prevent users from accessing shares from non-domain joined computer? What
are you trying to protect or do with this?

If you are rally serious about this then DHCP scope is not really a good
solution. There is no easy (and secure) way to separate scope for domain
joined and non-domain joined computers. Same goes for DNS. You mentioned
that users are knowledgeable and once they figure out they will set DNS
manually on their non-domain joined PCs or use IP addresses to access the
shares.

Still there are few options:
- personally I would probably go with policy "Access this computer from the
network". Here you could use a new group that has all domain computer
accounts in it. Since non-domain computers would not be part of this
group -- they would get "Access Denied". Now this here can present some
administrative overhead since you have to keep your group up-to-date with
any new computers added to domain or they will not be able to access the
server and shares.
- another option would be to use IPSec Policy to only allow domain members
to communicate among themselves -- leave out any other PC that is not member
of domain.

Here are some articles you can check out on the subject.

Access this computer from the network
http://www.microsoft.com/technet/pro...115c066bf.mspx

Server and Domain Isolation Using IPsec and Group Policy
http://www.microsoft.com/downloads/d...displaylang=en

Feel free to post back if you have any further questions.

--
Mike
Microsoft MVP - Windows Security

"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I work in a company full of knowlegable users with imaging tools (test
> engineering) that often try to use their workgroup PC as their
> production pc. Each user has a domain username/password. Is their any
> way to restrict a workgroup pc from accessing domain shares? I was
> thinking if there was a way to setup a different dhcp scope for
> workgroup pcs I could just not setup DNS which would hide network
> resources but I'm not sure that is possible. Another option was to
> setup network share permissions using computer accounts (Domain
> Computers) instead of users but that doesn't seem to work either. Any
> ideas?
>

hmmm....the first option actually looks like a winner. We already move
accounts out of the computers OU into a <Company Name> Computers OU so
this extra step of adding a group membership wouldn't be too tough.

To answer your question, the reason we want to do this is to restore
some order. This company creates hardware for Windows to run on.
Because of it we have a ton of engineers that image the product with a
base build of Windows with Office and are fine just running that off
the network using their domain username/password. Because of that we
have a ton of devices with no antirvirus, licensing issues, etc. If we
lock them out of the network it will encourage the employee to request
official employee images from IT.

Hi Jim,

What I did for some of my customers in such situations is also limit access
to the internet to only computers that were domain joined.

In few of these cases, we used ISA server to authenticate users requesting
access to the internet (e.g. access to website) and we added some additional
policies (e.g. IPSec policies).

--
Mike
Microsoft MVP - Windows Security

"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> hmmm....the first option actually looks like a winner. We already move
> accounts out of the computers OU into a <Company Name> Computers OU so
> this extra step of adding a group membership wouldn't be too tough.
>
> To answer your question, the reason we want to do this is to restore
> some order. This company creates hardware for Windows to run on.
> Because of it we have a ton of engineers that image the product with a
> base build of Windows with Office and are fine just running that off
> the network using their domain username/password. Because of that we
> have a ton of devices with no antirvirus, licensing issues, etc. If we
> lock them out of the network it will encourage the employee to request
> official employee images from IT.
>