Solved

Non-interactive AD account

Posted on 2011-09-23
3
1,343 Views
Last Modified: 2013-12-09
Hi Experts,

Is there a way I can create a non-interactive or 'lowest permission level' account/group for cerain users who require RADIUS access?

Basically, I have a group of users who have an AD account for the purposes of authenticating via wireless via RADIUS using their non-domain member devices (laptops, Andriod devices etc..) and I need their logins to only work for the sole purpose of authenticating via wireless via RADIUS with no interactive logon access to any domain workstation etc...

I currently have these users in the Domain Guests, Guests group and a security group defining wireless access for the NPS policy, however of course they will still be able to login interactively.

I did create another security group for the sole purpose of 'flagging' the user for non-interactive logon by adding that security group to the 'Deny Logon Locally' group policy and having my non-interactive users in that group as well, however this also cut off authentication via wireless via RADIUS :(
0
Comment
Question by:BradyAU
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36587070
I would check for that AD LDS instance. It can be used for authentication but cannot be use for user logon. I don't know if it works for that scenario (I've never done this before) But maybe you are interested in this subject and can dig something in the Internet?

For reference please start with this MS article at
http://technet.microsoft.com/pl-pl/library/cc755080%28WS.10%29.aspx

Regards,
Krzysztof
0
 

Accepted Solution

by:
BradyAU earned 0 total points
ID: 36813735
I was more leaning to just putting the user into a group that had limited access rather than using LDS. E.g. now they are in the Guest group + the WIFI security group.
0
 

Author Closing Comment

by:BradyAU
ID: 38144580
Idea worked
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question