Security Based on NT Groups

[Ray at]

You can disable anonymous access to the site so the users have to log in
(can be automatic in an intranet environment so users don't have to enter
passwords and things), and then control the security on your files and
directories using NTFS permissions.

Ray at work

"MCL" <mcl@mcl.com> wrote in message
news:vil2u6s9nt5p6c@corp.supernews.com...

> I am developing a new page for our Intranet and the requesting department
> has asked that a certain page only be accessible to those associates that
> are part of their department...
>
> I don't want to develop a custom list or database because I don't want to
> have to update it everytime somebody gets hired or fired or transferred...
>
> So, is there a way that I can get what NT Group a person is in based on
> their NT Login and then grant them permission if they re only part of a
> certain group...
>
> I understand the logic behind it, but I am just wondering if it is
> technically possible, and if so how...
>
> Thank you very much,
> Mark
>
>

[MCL]

Cool... That is what I thought... However, our server administrator seems to
think that disabling anonymous access might or might not be a bad thing...
Could you please expand on the concept of turning this on or off and maybe
what advantages and disadvantage would result from it... Is the "automatic"
log in (after anonymous access has been disabled) an IIS thing or an ASP
thing... I am assuming IIS...

Thank you very much,
Mark

"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:OcAWOWEWDHA.2252@TK2MSFTNGP10.phx.gbl...

> You can disable anonymous access to the site so the users have to log in
> (can be automatic in an intranet environment so users don't have to enter
> passwords and things), and then control the security on your files and
> directories using NTFS permissions.
>
> Ray at work
>
> "MCL" <mcl@mcl.com> wrote in message
> news:vil2u6s9nt5p6c@corp.supernews.com...

> > I am developing a new page for our Intranet and the requesting

department

> > has asked that a certain page only be accessible to those associates

that

> > are part of their department...
> >
> > I don't want to develop a custom list or database because I don't want

to

> > have to update it everytime somebody gets hired or fired or

transferred...

> >
> > So, is there a way that I can get what NT Group a person is in based on
> > their NT Login and then grant them permission if they re only part of a
> > certain group...
> >
> > I understand the logic behind it, but I am just wondering if it is
> > technically possible, and if so how...
> >
> > Thank you very much,
> > Mark
> >
> >

>
>

[Ray at]

Hi Mark,

I have the "admin" section of my intranet set with anonymous access
disabled. But I do not control access with NTFS permissions. I have it so
\Everyone has access to the section, and access to the sections within my
admin system is controlled by data from a SQL Server database. This way, in
each section, users of the system who do not have any access to the file
system on the server can control what others can access. And also, if
someone tries to access a page for which he has no access, he will not get a
401. Instead, I have it set to return a list of authorized users for that
system who have access to allow other people in, and present that
information to the unauthorized user. I find that to be the best.

The one thing about this method is that if you want to control access based
on group membership, it gets more intensive, as you have to cross reference
ldap information with what you have setup in your database. The need for me
to setup a section by group membership has not yet come up, but I'm sure it
will some time.

So, I guess what I'm saying is that the easy way to do it, is to control
with NTFS. The drawback to that is that someone with file system access to
the server has to manage permissions, although you could probably delegate
that right to people in an AD domain.

As far as the logon, IE will send your network login credentials to a
webserver that returns a 401, if the site is in the intranet zone, i.e.
[url]http://urlWithoutAnyDotsInTheName[/url]. So, the logon is invisible to my users,
and each user just clicks the "admin" link and sees whatever he's authorized
to.

Ray at work


"MCL" <mcl@mcl.com> wrote in message
news:vil6la946s7936@corp.supernews.com...

> Cool... That is what I thought... However, our server administrator seems

to

> think that disabling anonymous access might or might not be a bad thing...
> Could you please expand on the concept of turning this on or off and maybe
> what advantages and disadvantage would result from it... Is the

"automatic"

> log in (after anonymous access has been disabled) an IIS thing or an ASP
> thing... I am assuming IIS...
>
> Thank you very much,
> Mark
>
> "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
> news:OcAWOWEWDHA.2252@TK2MSFTNGP10.phx.gbl...

> > You can disable anonymous access to the site so the users have to log in
> > (can be automatic in an intranet environment so users don't have to

enter

> > passwords and things), and then control the security on your files and
> > directories using NTFS permissions.
> >
> > Ray at work
> >
> > "MCL" <mcl@mcl.com> wrote in message
> > news:vil2u6s9nt5p6c@corp.supernews.com...

> > > I am developing a new page for our Intranet and the requesting

> department

> > > has asked that a certain page only be accessible to those associates

> that

> > > are part of their department...
> > >
> > > I don't want to develop a custom list or database because I don't want

> to

> > > have to update it everytime somebody gets hired or fired or

> transferred...

> > >
> > > So, is there a way that I can get what NT Group a person is in based

on

> > > their NT Login and then grant them permission if they re only part of

a

> > > certain group...
> > >
> > > I understand the logic behind it, but I am just wondering if it is
> > > technically possible, and if so how...
> > >
> > > Thank you very much,
> > > Mark
> > >
> > >

> >
> >

>
>