?
Solved

Looking for thoughts on Windows 7 'guest' account

Posted on 2013-01-03
5
Medium Priority
?
227 Views
Last Modified: 2014-02-24
I manage the client side of AD in a Windows 7 / 2008 environment with about 2000 devices.

We have ~1500 team members with AD accounts.  

Our HR department wants to make a 3rd party training web site available to ~200 team members who currently do not have devices or AD accounts.  They want them to be able to 'walk up' to any available computers a few times a month and access only this one URL, no network resources, and they don't want to pay for CAL's to get domain accounts.

The only idea I'm toying with is opening up a single shared domain account with no access, white listing the URL at the proxy so it doesn't require authentication, and finding a way to lock down that user profile 100% at the client side to only present a URL shortcut and no other options at all.  I'm not sure what policies that would take; I don't see how to apply policies based upon a specific user.  I'm also very concerned about the security implications.  

Ideas?
0
Comment
Question by:MortensonIT
  • 2
  • 2
4 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 1500 total points
ID: 38742323
this kindof thing is normally done by creating a seperate OU for all the GUEST PCs and a sepearte OU for the login account(s)
You can create very (very) restrictive grou policies for these OUs that can lock the PCs and user down very tightly.

This would be a domain user/PC though, so may not fulful all your requirements.

The only other option would be to use LOCAL group policy on the PCs independatly, which would mean they wouldnt need to be domain PCs etc. It's a bit fiddly, but can easily be done using gpedit.msc on any local workgroup PC.
0
 

Author Comment

by:MortensonIT
ID: 39877548
I was able to make my solution work with some extensive group policy manipulation.

I created a "Training" domain account and removed it from all groups.  I put the account in it's own OU, and then applied policy to it.  
When a user logs in with the training account on ANY computer in the domain, it removes all entries from the desktop and applies a single link to IE that opens up to the external training page.  It doesn't have any access to domain resources.
The start menu is empty, the task bar is empty, the context menu is disabled; all that remains is the clock.  It took a lot of testing but I got it to work.
0
 

Author Comment

by:MortensonIT
ID: 39877747
I've requested that this question be closed as follows:

Accepted answer: 0 points for MortensonIT's comment #a39877548

for the following reason:

The only other community solution wasn't viable for my application.  It took doing, but I figured it out myself.
0
 
LVL 27

Expert Comment

by:Steve
ID: 39877748
My response was valid and suggested the use of OUs & group policies in answer to your request for 'ideas', which you did implement.
At least acknowledge my imput and throw some points my way matey?
0

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This is the conclusion of the review and tests for using two or more Password Managers so you don't need to rely on just one. This article describes the results of a lot of testing in different scenario's to reveal which ones best co-exist together.…
Fix RPC Server is unavailable Error in Exchange 2013, 2010, 2007, and 2003 Server. Different reason can such as network connectivity issue, name resolution issue, firewall, registry corruption that lead to RPC Server Unavailable error.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question