allowing temporary users in the Network

allowing temporary users in the Network
We are in a windows domain environment.
we have some guests that we need to provide computers and let them use our existing wireless internet access, and also provide them with one Network printer.

these users will be in the company just for a week or 2

I wonder what is the best way to do that, without opening security breaches in our domain.?
Do we need just to create a temporary OU and block all polices inheritance at this OU level, and for the rest will consider them just as our domain users or we need to keep them away from the domain, I mean do not create their accounts in the domain, and just make them local Administrtors in their computers?


Thanks
jskfanAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
eerwaltersConnect With a Mentor Commented:
I wouldn't join the PCs to the domain.  

You could setup the printer on the network and have them print to it directly or on a current print server, if desired.  Either way, just setup the printer using the LPR protocol and it will be a "local" printer from a Windows perspective and will be available to all users of the PC.

If you are going to print directly to the printer just set:
       Host = IP address of the printer
       Port = raw  (for most normal laser printers)

If you are going to use an existing printer on an existing Windows print server, then the LPD Service will need to be loaded on the Windows print server.  Then set each PC to have an LPR printer set to:
       Host = DNS name or IP address of the print server
       Port = printer name on the print server
  No Domain authentication is required for LPR printing
0
 
Mike KlineConnect With a Mentor Commented:
Are they bringing their own computers or are you providing them with PCs?  If they are company PCs then I'd create an OU and lock the PCs down and only give them what they need (IE and map that printer).  They shouldn't need access to anything else.

Some places have a separate "guest" network for wifi/printer access for guests.  If you have guests regularly it maybe something to consider.

Thanks

Mike
0
 
jskfanAuthor Commented:
we ''l provide them PCs and one Network printers.
we 'll provide them also our Wifi.
we do not want them to browse the network
we can let the domain password policy to be applied to them, no other policies..
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
jskfanAuthor Commented:
If they can login to the domain, then they can be either members of domain users or authenticated users. I am afraid either way they will be able to browse the network
0
 
ReceptConnect With a Mentor Commented:
Provided you don't apply permissions directly to 'Authenticated Users' or the 'Everyone' groups you can create a new security group and set that as their Primary Group then delete them from 'Domain Users'

http://technet.microsoft.com/en-us/library/dd861291.aspx
0
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
By default domain users have read only access to OU unless you are assigning additional permission.You can create domain user account and place the guest users/computer in OU and apply the lockdown policy as per requirement.I will not recommend to add guest user account to local admin as this give additional righst like installing app/software,changing system setting,etc.

You can also create local user account for these guest and apply the lockdown policy locally if required choice is yours.See below links for more details.


http://blogs.technet.com/b/asiasupp/archive/2006/09/19/457423.aspx
http://www.howtogeek.com/111239/the-best-ways-to-lock-down-your-multi-user-computer/
http://www.techrepublic.com/article/lock-it-down-secure-your-desktops-with-windows-group-policy-editor/
http://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html
0
 
Pramod UbheConnect With a Mentor Commented:
best way is to create local accounts for them on the computers and provide access to printer or you can attach that printer directly to one of their computer.

creating domain accounts will open so many doors for them and much more information can be accessed. In most of the cases i've seen all domain users have read access on AD (not sure how your env. is configured).

for internet access you should be able to have some rule configured for their IPs to allow/block websites as needed.
0
 
jskfanAuthor Commented:
pramod_ubhe:

it sounds simple way.
What about their  computers IPs, can they get DHCP IPs without being members of the domain ?

Regarding printers, I believe I can login as local Administrator and add the Network printer to their computers then logoff, and let them login...I wonder if those printers still appear when they login locally with their credentials?
0
 
Pramod UbheCommented:
Technically there should not be any issues with dhcp assigning IPs to those computers but you can use static IPs in case of any issues.

for printers, you need to map them while they are logged in with their credentials or map them using user account and then share it for everyone, also it depends on the permissions configured on printers e.g. allow print for everyone/authenticated users.
0
 
jskfanAuthor Commented:
Thank you Guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.