Best practice for a visitor's account.

We have an workstation in our boardroom that is sometimes used by one of our temps, and at other times needs to be accessed by visitors.  

This machine IS on the domain, so the guest account method of signing into the machine doesn't seem to work.

What is the best practice method of allowing a stranger to use a machine so that they can basically ONLY get on the internet with it?

Server is Windows 2008 R2 Standard.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Not sure if it is best practice or not, but you could create a Security Group called Visitors. Then Add the account to the Visitor group and remove them from Domain Users. That should take care of network stuff (Unless you grant permissions using "Everyone" or "Authenticated Users")
Nick RhodeIT DirectorCommented:
For guest users I create a guest account (whatever you want to name it) move them into a more restricted OU and adjust group policy so all they can do is surf the web.

In another location we have guest wireless which is isolated from the network and we have just a standard laptop there for guest use.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pramod UbheCommented:
if your requirement is to just allow internet, don't allow any domain logins.
You can just create a local login and keep it always logged in to that computer (use auto-login reg key or stick username/password on it). For internet access, exclude that computer's IP in you web filtering application and try to keep it as restrictive as possible (like only few internet sites and internal sites whatever suites to you).

This will prevent your visitors to have any details about your domain. they can not even know your domain name (which also could be a vulnerability).
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

clicker666Author Commented:
The computer needs to be on the domain so the temps can use it - that's why the guest account doesn't want to work.
Nick RhodeIT DirectorCommented:
What he means is you can still login locally to the PC regardless of it being on the domain.

For instance the local admin on the PC is disabled by default but lets say I had Test as a local account on the pc.  If I wanted to log into I would do the followoing:

Login:  PCName\Test

This will log me into the local computer and not on the domain.  So now if your temp user wanted to sign onto the domain they would do the following

Login:  Domain\Temp

You would have to create a local account for the visitors to use etc.
clicker666Author Commented:
I'll try that and get back with the winner.  I've been tied up and unable to check.
clicker666Author Commented:
Didn't work.  I created an account on the machine and used machinename\accountname format to sign in and it kept telling me the username or password was incorrect.  I changed the password twice just to be sure.  Weird.  I explicitly declared in the security policy that the account had local logon rights as well.
clicker666Author Commented:
I'll give this answer the points because I think it's the proper one - there's just something preventing it from working right for me.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.