Solved

Looking for thoughts on Windows 7 'guest' account

Posted on 2013-01-03
5
211 Views
Last Modified: 2014-02-24
I manage the client side of AD in a Windows 7 / 2008 environment with about 2000 devices.

We have ~1500 team members with AD accounts.  

Our HR department wants to make a 3rd party training web site available to ~200 team members who currently do not have devices or AD accounts.  They want them to be able to 'walk up' to any available computers a few times a month and access only this one URL, no network resources, and they don't want to pay for CAL's to get domain accounts.

The only idea I'm toying with is opening up a single shared domain account with no access, white listing the URL at the proxy so it doesn't require authentication, and finding a way to lock down that user profile 100% at the client side to only present a URL shortcut and no other options at all.  I'm not sure what policies that would take; I don't see how to apply policies based upon a specific user.  I'm also very concerned about the security implications.  

Ideas?
0
Comment
Question by:MortensonIT
  • 2
  • 2
5 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 500 total points
ID: 38742323
this kindof thing is normally done by creating a seperate OU for all the GUEST PCs and a sepearte OU for the login account(s)
You can create very (very) restrictive grou policies for these OUs that can lock the PCs and user down very tightly.

This would be a domain user/PC though, so may not fulful all your requirements.

The only other option would be to use LOCAL group policy on the PCs independatly, which would mean they wouldnt need to be domain PCs etc. It's a bit fiddly, but can easily be done using gpedit.msc on any local workgroup PC.
0
 

Author Comment

by:MortensonIT
ID: 39877548
I was able to make my solution work with some extensive group policy manipulation.

I created a "Training" domain account and removed it from all groups.  I put the account in it's own OU, and then applied policy to it.  
When a user logs in with the training account on ANY computer in the domain, it removes all entries from the desktop and applies a single link to IE that opens up to the external training page.  It doesn't have any access to domain resources.
The start menu is empty, the task bar is empty, the context menu is disabled; all that remains is the clock.  It took a lot of testing but I got it to work.
0
 

Author Comment

by:MortensonIT
ID: 39877747
I've requested that this question be closed as follows:

Accepted answer: 0 points for MortensonIT's comment #a39877548

for the following reason:

The only other community solution wasn't viable for my application.  It took doing, but I figured it out myself.
0
 
LVL 27

Expert Comment

by:Steve
ID: 39877748
My response was valid and suggested the use of OUs & group policies in answer to your request for 'ideas', which you did implement.
At least acknowledge my imput and throw some points my way matey?
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ebay desktop program for windows for a seller who wants to sell alot 2 29
Install both Office 2010 and 2013 4 37
Problem to file 13 40
Windows updates batch files 7 43
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
An article on effective troubleshooting
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question