Non-interactive AD account
Posted on 2011-09-23
Is there a way I can create a non-interactive or 'lowest permission level' account/group for cerain users who require RADIUS access?
Basically, I have a group of users who have an AD account for the purposes of authenticating via wireless via RADIUS using their non-domain member devices (laptops, Andriod devices etc..) and I need their logins to only work for the sole purpose of authenticating via wireless via RADIUS with no interactive logon access to any domain workstation etc...
I currently have these users in the Domain Guests, Guests group and a security group defining wireless access for the NPS policy, however of course they will still be able to login interactively.
I did create another security group for the sole purpose of 'flagging' the user for non-interactive logon by adding that security group to the 'Deny Logon Locally' group policy and having my non-interactive users in that group as well, however this also cut off authentication via wireless via RADIUS :(