Best practice for a visitor's account.

We have an workstation in our boardroom that is sometimes used by one of our temps, and at other times needs to be accessed by visitors.  

This machine IS on the domain, so the guest account method of signing into the machine doesn't seem to work.

What is the best practice method of allowing a stranger to use a machine so that they can basically ONLY get on the internet with it?

Server is Windows 2008 R2 Standard.
Who is Participating?
Nick RhodeConnect With a Mentor IT DirectorCommented:
For guest users I create a guest account (whatever you want to name it) move them into a more restricted OU and adjust group policy so all they can do is surf the web.

In another location we have guest wireless which is isolated from the network and we have just a standard laptop there for guest use.
Not sure if it is best practice or not, but you could create a Security Group called Visitors. Then Add the account to the Visitor group and remove them from Domain Users. That should take care of network stuff (Unless you grant permissions using "Everyone" or "Authenticated Users")
Pramod UbheCommented:
if your requirement is to just allow internet, don't allow any domain logins.
You can just create a local login and keep it always logged in to that computer (use auto-login reg key or stick username/password on it). For internet access, exclude that computer's IP in you web filtering application and try to keep it as restrictive as possible (like only few internet sites and internal sites whatever suites to you).

This will prevent your visitors to have any details about your domain. they can not even know your domain name (which also could be a vulnerability).
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

clicker666Author Commented:
The computer needs to be on the domain so the temps can use it - that's why the guest account doesn't want to work.
Nick RhodeIT DirectorCommented:
What he means is you can still login locally to the PC regardless of it being on the domain.

For instance the local admin on the PC is disabled by default but lets say I had Test as a local account on the pc.  If I wanted to log into I would do the followoing:

Login:  PCName\Test

This will log me into the local computer and not on the domain.  So now if your temp user wanted to sign onto the domain they would do the following

Login:  Domain\Temp

You would have to create a local account for the visitors to use etc.
clicker666Author Commented:
I'll try that and get back with the winner.  I've been tied up and unable to check.
clicker666Author Commented:
Didn't work.  I created an account on the machine and used machinename\accountname format to sign in and it kept telling me the username or password was incorrect.  I changed the password twice just to be sure.  Weird.  I explicitly declared in the security policy that the account had local logon rights as well.
clicker666Author Commented:
I'll give this answer the points because I think it's the proper one - there's just something preventing it from working right for me.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.