Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Looking for thoughts on Windows 7 'guest' account

Posted on 2013-01-03
5
Medium Priority
?
221 Views
Last Modified: 2014-02-24
I manage the client side of AD in a Windows 7 / 2008 environment with about 2000 devices.

We have ~1500 team members with AD accounts.  

Our HR department wants to make a 3rd party training web site available to ~200 team members who currently do not have devices or AD accounts.  They want them to be able to 'walk up' to any available computers a few times a month and access only this one URL, no network resources, and they don't want to pay for CAL's to get domain accounts.

The only idea I'm toying with is opening up a single shared domain account with no access, white listing the URL at the proxy so it doesn't require authentication, and finding a way to lock down that user profile 100% at the client side to only present a URL shortcut and no other options at all.  I'm not sure what policies that would take; I don't see how to apply policies based upon a specific user.  I'm also very concerned about the security implications.  

Ideas?
0
Comment
Question by:MortensonIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 1500 total points
ID: 38742323
this kindof thing is normally done by creating a seperate OU for all the GUEST PCs and a sepearte OU for the login account(s)
You can create very (very) restrictive grou policies for these OUs that can lock the PCs and user down very tightly.

This would be a domain user/PC though, so may not fulful all your requirements.

The only other option would be to use LOCAL group policy on the PCs independatly, which would mean they wouldnt need to be domain PCs etc. It's a bit fiddly, but can easily be done using gpedit.msc on any local workgroup PC.
0
 

Author Comment

by:MortensonIT
ID: 39877548
I was able to make my solution work with some extensive group policy manipulation.

I created a "Training" domain account and removed it from all groups.  I put the account in it's own OU, and then applied policy to it.  
When a user logs in with the training account on ANY computer in the domain, it removes all entries from the desktop and applies a single link to IE that opens up to the external training page.  It doesn't have any access to domain resources.
The start menu is empty, the task bar is empty, the context menu is disabled; all that remains is the clock.  It took a lot of testing but I got it to work.
0
 

Author Comment

by:MortensonIT
ID: 39877747
I've requested that this question be closed as follows:

Accepted answer: 0 points for MortensonIT's comment #a39877548

for the following reason:

The only other community solution wasn't viable for my application.  It took doing, but I figured it out myself.
0
 
LVL 27

Expert Comment

by:Steve
ID: 39877748
My response was valid and suggested the use of OUs & group policies in answer to your request for 'ideas', which you did implement.
At least acknowledge my imput and throw some points my way matey?
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question