Just controlling access to data in AD? What was the purpose? I mean, a normal user account has read access to much so reducing that has what benefit vs. that of a laptop user? I'm just trying to understand the requirement and where you're coming from to get here.
Regardless, is the requirement to limit only access to AD information or is it to resources on the network? Both? What I'm after is a solid requirements definition. I think we can all potshoot at this all day and come up with plenty of good ideas for certain situations, but it seems that there may be a particular problem that you're trying to solve that led you here. It would be helpful to know what that problem is for background information. To date we know that you want to differentiate access to information for LAN based users vs. dial-up/VPN (let's call them remote access users). What I can't tell is why or what would be a suitable solution to the problem. I do know that some have solved this with quarantine networks, others with different protocol access, firewalls, etc. Which one works for you is to be determined if there is one of course. The problem I see is that this is an authenticated user. As such, the ACL's etc won't care (minus Guido's suggestions of using different auth protocols) because that user is that user and should have access to the things that user normally has access to according to the current authentication mechanism. That indicates that you may want to control this another way. But if you want to control what they can see in the AD based on network connectivity, I think we need to know more about the requirements. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika Seitsonen Sent: Monday, November 22, 2004 3:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Controlling access to AD based on the network tec hnology used Actually we were discussing just access to data stored in Active Directory. Well-known security principals Interactive and Network are of not much use in this scenario. Mika -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 22. marraskuuta 2004 22:02 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Controlling access to AD based on the network tec hnology used Can you give some more information about the proposed solution? For example, should a VPN user only have access to certain applications? Should it be different access in the same applications? Information like that would be useful here. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika Seitsonen Sent: Monday, November 22, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Controlling access to AD based on the network technology used Any ideas on how to control access to data based on network technology that is used to access AD. I.e. if the user is on the LAN versus when she is accessing the directory via VPN/dial-up or Web. She should have different level/authority to view and modify data stored in the AD when being attached to the LAN. I can't really think of anything else but establishing different forests/ADAMs and synchronizing the content. Alternatively, the control and different view of data should be programmed into a web application. Mika --- http://www.kouti.com <http://www.kouti.com/> List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
