Re: Student workers & shared drive restrictions

[Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>]

Couple ways I can think of to do it:

--> Have you logon script check the group membership of the computer account
and then do the mappings based on that. Put computers in security groups
based on office/department/etc.

--> You can do all sorts of creative filtering with Group Policy Preferences
and you can use that (GPP) to do the drive mapping.

Thanks,
Brian Desmond
brian.desmond () morantechnology com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bazeley, Joseph E.
Sent: Monday, June 01, 2009 12:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Student workers & shared drive restrictions

We're migrating to Active Directory, and I'm looking to use this as an
opportunity to remove generic student worker accounts.  Previously, each
office would have their own shared student worker account (i.e.,
Bursar_Student_Worker), which all student workers in that area would use to
login with.  I want to have each student login with their regular AD
credentials, but when and only when they are using computers in that
department will they have access to the department's shared drive.  If they
login from a non-department computer, they are unable to access that share.

Anyone have a way to configure accounts in AD so that the following happens?

User 1 (student worker) logs in to Computer A (dept computer) and gets
access to drive Q: (dept share)
User 1 logs in to Computer B (non-dept computer) and is unable to access
drive Q: (including if they try to manually map the drive)

Joe Bazeley
Information Security Officer
Miami University
Hoyt Hall 314
513-529-9252