Solved

Looking for thoughts on Windows 7 'guest' account

Posted on 2013-01-03
5
212 Views
Last Modified: 2014-02-24
I manage the client side of AD in a Windows 7 / 2008 environment with about 2000 devices.

We have ~1500 team members with AD accounts.  

Our HR department wants to make a 3rd party training web site available to ~200 team members who currently do not have devices or AD accounts.  They want them to be able to 'walk up' to any available computers a few times a month and access only this one URL, no network resources, and they don't want to pay for CAL's to get domain accounts.

The only idea I'm toying with is opening up a single shared domain account with no access, white listing the URL at the proxy so it doesn't require authentication, and finding a way to lock down that user profile 100% at the client side to only present a URL shortcut and no other options at all.  I'm not sure what policies that would take; I don't see how to apply policies based upon a specific user.  I'm also very concerned about the security implications.  

Ideas?
0
Comment
Question by:MortensonIT
  • 2
  • 2
5 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 500 total points
ID: 38742323
this kindof thing is normally done by creating a seperate OU for all the GUEST PCs and a sepearte OU for the login account(s)
You can create very (very) restrictive grou policies for these OUs that can lock the PCs and user down very tightly.

This would be a domain user/PC though, so may not fulful all your requirements.

The only other option would be to use LOCAL group policy on the PCs independatly, which would mean they wouldnt need to be domain PCs etc. It's a bit fiddly, but can easily be done using gpedit.msc on any local workgroup PC.
0
 

Author Comment

by:MortensonIT
ID: 39877548
I was able to make my solution work with some extensive group policy manipulation.

I created a "Training" domain account and removed it from all groups.  I put the account in it's own OU, and then applied policy to it.  
When a user logs in with the training account on ANY computer in the domain, it removes all entries from the desktop and applies a single link to IE that opens up to the external training page.  It doesn't have any access to domain resources.
The start menu is empty, the task bar is empty, the context menu is disabled; all that remains is the clock.  It took a lot of testing but I got it to work.
0
 

Author Comment

by:MortensonIT
ID: 39877747
I've requested that this question be closed as follows:

Accepted answer: 0 points for MortensonIT's comment #a39877548

for the following reason:

The only other community solution wasn't viable for my application.  It took doing, but I figured it out myself.
0
 
LVL 27

Expert Comment

by:Steve
ID: 39877748
My response was valid and suggested the use of OUs & group policies in answer to your request for 'ideas', which you did implement.
At least acknowledge my imput and throw some points my way matey?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question