I am happy to join th Juniper SSL community.
I have a question on Host Checker. How do i best create a policy that will check if a given machine is a member of a company domain? We want to create different roles for people who login with company issues machines (domain members) and people who login from non-compny issued machines.
How do i this when it comes to Host Checker policy? Do i look for specific registry key on the remote machines? If so, what am i looking for? Let's say the domain name is ... "acmegizmo"
Btw, i am running IVE 6.3.
Best would be to use client certificates but if you settle for checking the registry you can read the domain name from
It contains the FQDN as a string, e.g. "redmond.corp.microsoft.com"
Might be other places as well but this is the one I use.
I recommend using "Domain" or "NV Domain" located in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" instead. This should always be the machines FQDN (goldlnk.rootlnka.net).
if you want make sure the user logged in is a domain user, not a local user, check:
For XP: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName
For Vista: HKEY_CURRENT_USER\Volatile Environment\USERDOMAIN
I use this HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\DomainName
But I only check to make sure its a domain computer. I don't check users.
Whats to stop a user from manually adding this to the registry if they are not part of the domain?
nothing, unless there are policies on the pc that do not allow registry modification.
if you don't show reason strings, users will not know the failure reason