Solved

allowing temporary users in the Network

Posted on 2013-12-03
10
451 Views
Last Modified: 2013-12-07
allowing temporary users in the Network
We are in a windows domain environment.
we have some guests that we need to provide computers and let them use our existing wireless internet access, and also provide them with one Network printer.

these users will be in the company just for a week or 2

I wonder what is the best way to do that, without opening security breaches in our domain.?
Do we need just to create a temporary OU and block all polices inheritance at this OU level, and for the rest will consider them just as our domain users or we need to keep them away from the domain, I mean do not create their accounts in the domain, and just make them local Administrtors in their computers?


Thanks
0
Comment
Question by:jskfan
10 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
ID: 39694344
Are they bringing their own computers or are you providing them with PCs?  If they are company PCs then I'd create an OU and lock the PCs down and only give them what they need (IE and map that printer).  They shouldn't need access to anything else.

Some places have a separate "guest" network for wifi/printer access for guests.  If you have guests regularly it maybe something to consider.

Thanks

Mike
0
 

Author Comment

by:jskfan
ID: 39694399
we ''l provide them PCs and one Network printers.
we 'll provide them also our Wifi.
we do not want them to browse the network
we can let the domain password policy to be applied to them, no other policies..
0
 

Author Comment

by:jskfan
ID: 39694400
If they can login to the domain, then they can be either members of domain users or authenticated users. I am afraid either way they will be able to browse the network
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 5

Assisted Solution

by:Recept
Recept earned 50 total points
ID: 39694568
Provided you don't apply permissions directly to 'Authenticated Users' or the 'Everyone' groups you can create a new security group and set that as their Primary Group then delete them from 'Domain Users'

http://technet.microsoft.com/en-us/library/dd861291.aspx
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 50 total points
ID: 39694570
By default domain users have read only access to OU unless you are assigning additional permission.You can create domain user account and place the guest users/computer in OU and apply the lockdown policy as per requirement.I will not recommend to add guest user account to local admin as this give additional righst like installing app/software,changing system setting,etc.

You can also create local user account for these guest and apply the lockdown policy locally if required choice is yours.See below links for more details.


http://blogs.technet.com/b/asiasupp/archive/2006/09/19/457423.aspx
http://www.howtogeek.com/111239/the-best-ways-to-lock-down-your-multi-user-computer/
http://www.techrepublic.com/article/lock-it-down-secure-your-desktops-with-windows-group-policy-editor/
http://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 175 total points
ID: 39695036
best way is to create local accounts for them on the computers and provide access to printer or you can attach that printer directly to one of their computer.

creating domain accounts will open so many doors for them and much more information can be accessed. In most of the cases i've seen all domain users have read access on AD (not sure how your env. is configured).

for internet access you should be able to have some rule configured for their IPs to allow/block websites as needed.
0
 

Author Comment

by:jskfan
ID: 39696002
pramod_ubhe:

it sounds simple way.
What about their  computers IPs, can they get DHCP IPs without being members of the domain ?

Regarding printers, I believe I can login as local Administrator and add the Network printer to their computers then logoff, and let them login...I wonder if those printers still appear when they login locally with their credentials?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39697943
Technically there should not be any issues with dhcp assigning IPs to those computers but you can use static IPs in case of any issues.

for printers, you need to map them while they are logged in with their credentials or map them using user account and then share it for everyone, also it depends on the permissions configured on printers e.g. allow print for everyone/authenticated users.
0
 
LVL 7

Accepted Solution

by:
eerwalters earned 175 total points
ID: 39700216
I wouldn't join the PCs to the domain.  

You could setup the printer on the network and have them print to it directly or on a current print server, if desired.  Either way, just setup the printer using the LPR protocol and it will be a "local" printer from a Windows perspective and will be available to all users of the PC.

If you are going to print directly to the printer just set:
       Host = IP address of the printer
       Port = raw  (for most normal laser printers)

If you are going to use an existing printer on an existing Windows print server, then the LPD Service will need to be loaded on the Windows print server.  Then set each PC to have an LPR printer set to:
       Host = DNS name or IP address of the print server
       Port = printer name on the print server
  No Domain authentication is required for LPR printing
0
 

Author Closing Comment

by:jskfan
ID: 39703466
Thank you Guys!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD and Exchnage 2010 Photos 3 41
Windows 2008 R2 File Share 8 32
Advanced Auditing issue 3 23
Powershell query 1 23
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question