AFAIK a Windows 2000+ OS will not connect to the domain using NTLM again after it found a AD DC. However there's some fallback after the Client receives the netlogon_ex response - this is after ~15 minutes (which you usually won't want to wait). Using different authentication protocols will only work if the remote client will never log on locally to prevent this behavior.
Another suggestion: Might it work to modify a DL-Group in the logon-script of the users? Add the user if it's connecting remote (make sure it's not in there if logging on in the network), and deny rights on the AD-Attributes for that group? Just a guess. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner WebSite: http://www.windowsserverfaq.org > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Grillenmeier, Guido > Sent: Monday, November 22, 2004 9:10 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Controlling access to AD based on > the network tec hnology used > > you could ensure that your folks on the LAN authenticate via > Kerberos, and the remote users are forced to use NTLM => this > would then allow you to set ACLs based on the protocol used > to authenticate (i.e. deny access to users authenticating via > NTLM - possible with Win2003) > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Monday, November 22, 2004 9:02 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Controlling access to AD based on > the network tec hnology used > > Can you give some more information about the proposed solution? > > For example, should a VPN user only have access to certain > applications? > Should it be different access in the same applications? > Information like that would be useful here. > > Al > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mika > Seitsonen > Sent: Monday, November 22, 2004 2:51 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Controlling access to AD based on the > network technology used > > Any ideas on how to control access to data based on network > technology that is used to access AD. I.e. if the user is on > the LAN versus when she is accessing the directory via > VPN/dial-up or Web. She should have different level/authority > to view and modify data stored in the AD when being attached > to the LAN. > > > > I can't really think of anything else but establishing > different forests/ADAMs and synchronizing the content. > Alternatively, the control and different view of data should > be programmed into a web application. > > > > Mika > > --- > > http://www.kouti.com <http://www.kouti.com/> > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
