On Fri, 2007-12-14 at 19:55 +0000, Net Warrior wrote:> Good, but, how do I tell, this user can log in in this windows machine and
> not in this other? I need a way to check
> both, the user who's loggin agains my pdc in and the IP from the
machine
> he's trying to log to the domain. Isn't deny-host a more global way
to tell,
> this host can access my machine?
>
Yes.
To do what you're after, I think you could do it with a carefully
subnetted LAN (i.e. each department has a distinct LAN segment, not
necessarily an actual subnet but a block of IPs that are predictably
assigned via dhcp pools).
Then using dynamically generated login scripts, you could cross
reference the users' group membership with the IP pool that they're
logging in from, and attempt to write in some nastiness that disables
users from one group logging into the IP space of another group.
This is actually an interesting idea in a way although if your directory
ACLs and permissions are set up correctly and you're using the Samba
server for storing everything, why worry if user "A" from accounting
logs into user "B"'s pc in marketing? They won't be able to
access
anything they couldn't from their own computer, right?
Rubin