clicker666
asked on
Best practice for a visitor's account.
We have an workstation in our boardroom that is sometimes used by one of our temps, and at other times needs to be accessed by visitors.
This machine IS on the domain, so the guest account method of signing into the machine doesn't seem to work.
What is the best practice method of allowing a stranger to use a machine so that they can basically ONLY get on the internet with it?
Server is Windows 2008 R2 Standard.
This machine IS on the domain, so the guest account method of signing into the machine doesn't seem to work.
What is the best practice method of allowing a stranger to use a machine so that they can basically ONLY get on the internet with it?
Server is Windows 2008 R2 Standard.
Grasty86
Not sure if it is best practice or not, but you could create a Security Group called Visitors. Then Add the account to the Visitor group and remove them from Domain Users. That should take care of network stuff (Unless you grant permissions using "Everyone" or "Authenticated Users")
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if your requirement is to just allow internet, don't allow any domain logins.
You can just create a local login and keep it always logged in to that computer (use auto-login reg key or stick username/password on it). For internet access, exclude that computer's IP in you web filtering application and try to keep it as restrictive as possible (like only few internet sites and internal sites whatever suites to you).
This will prevent your visitors to have any details about your domain. they can not even know your domain name (which also could be a vulnerability).
You can just create a local login and keep it always logged in to that computer (use auto-login reg key or stick username/password on it). For internet access, exclude that computer's IP in you web filtering application and try to keep it as restrictive as possible (like only few internet sites and internal sites whatever suites to you).
This will prevent your visitors to have any details about your domain. they can not even know your domain name (which also could be a vulnerability).
ASKER
The computer needs to be on the domain so the temps can use it - that's why the guest account doesn't want to work.
What he means is you can still login locally to the PC regardless of it being on the domain.
For instance the local admin on the PC is disabled by default but lets say I had Test as a local account on the pc. If I wanted to log into I would do the followoing:
Login: PCName\Test
This will log me into the local computer and not on the domain. So now if your temp user wanted to sign onto the domain they would do the following
Login: Domain\Temp
You would have to create a local account for the visitors to use etc.
For instance the local admin on the PC is disabled by default but lets say I had Test as a local account on the pc. If I wanted to log into I would do the followoing:
Login: PCName\Test
This will log me into the local computer and not on the domain. So now if your temp user wanted to sign onto the domain they would do the following
Login: Domain\Temp
You would have to create a local account for the visitors to use etc.
ASKER
I'll try that and get back with the winner. I've been tied up and unable to check.
ASKER
Didn't work. I created an account on the machine and used machinename\accountname format to sign in and it kept telling me the username or password was incorrect. I changed the password twice just to be sure. Weird. I explicitly declared in the security policy that the account had local logon rights as well.
ASKER
I'll give this answer the points because I think it's the proper one - there's just something preventing it from working right for me.