Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

allowing temporary users in the Network

Posted on 2013-12-03
10
Medium Priority
?
463 Views
Last Modified: 2013-12-07
allowing temporary users in the Network
We are in a windows domain environment.
we have some guests that we need to provide computers and let them use our existing wireless internet access, and also provide them with one Network printer.

these users will be in the company just for a week or 2

I wonder what is the best way to do that, without opening security breaches in our domain.?
Do we need just to create a temporary OU and block all polices inheritance at this OU level, and for the rest will consider them just as our domain users or we need to keep them away from the domain, I mean do not create their accounts in the domain, and just make them local Administrtors in their computers?


Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 200 total points
ID: 39694344
Are they bringing their own computers or are you providing them with PCs?  If they are company PCs then I'd create an OU and lock the PCs down and only give them what they need (IE and map that printer).  They shouldn't need access to anything else.

Some places have a separate "guest" network for wifi/printer access for guests.  If you have guests regularly it maybe something to consider.

Thanks

Mike
0
 

Author Comment

by:jskfan
ID: 39694399
we ''l provide them PCs and one Network printers.
we 'll provide them also our Wifi.
we do not want them to browse the network
we can let the domain password policy to be applied to them, no other policies..
0
 

Author Comment

by:jskfan
ID: 39694400
If they can login to the domain, then they can be either members of domain users or authenticated users. I am afraid either way they will be able to browse the network
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 
LVL 5

Assisted Solution

by:Recept
Recept earned 200 total points
ID: 39694568
Provided you don't apply permissions directly to 'Authenticated Users' or the 'Everyone' groups you can create a new security group and set that as their Primary Group then delete them from 'Domain Users'

http://technet.microsoft.com/en-us/library/dd861291.aspx
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 200 total points
ID: 39694570
By default domain users have read only access to OU unless you are assigning additional permission.You can create domain user account and place the guest users/computer in OU and apply the lockdown policy as per requirement.I will not recommend to add guest user account to local admin as this give additional righst like installing app/software,changing system setting,etc.

You can also create local user account for these guest and apply the lockdown policy locally if required choice is yours.See below links for more details.


http://blogs.technet.com/b/asiasupp/archive/2006/09/19/457423.aspx
http://www.howtogeek.com/111239/the-best-ways-to-lock-down-your-multi-user-computer/
http://www.techrepublic.com/article/lock-it-down-secure-your-desktops-with-windows-group-policy-editor/
http://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 700 total points
ID: 39695036
best way is to create local accounts for them on the computers and provide access to printer or you can attach that printer directly to one of their computer.

creating domain accounts will open so many doors for them and much more information can be accessed. In most of the cases i've seen all domain users have read access on AD (not sure how your env. is configured).

for internet access you should be able to have some rule configured for their IPs to allow/block websites as needed.
0
 

Author Comment

by:jskfan
ID: 39696002
pramod_ubhe:

it sounds simple way.
What about their  computers IPs, can they get DHCP IPs without being members of the domain ?

Regarding printers, I believe I can login as local Administrator and add the Network printer to their computers then logoff, and let them login...I wonder if those printers still appear when they login locally with their credentials?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39697943
Technically there should not be any issues with dhcp assigning IPs to those computers but you can use static IPs in case of any issues.

for printers, you need to map them while they are logged in with their credentials or map them using user account and then share it for everyone, also it depends on the permissions configured on printers e.g. allow print for everyone/authenticated users.
0
 
LVL 7

Accepted Solution

by:
eerwalters earned 700 total points
ID: 39700216
I wouldn't join the PCs to the domain.  

You could setup the printer on the network and have them print to it directly or on a current print server, if desired.  Either way, just setup the printer using the LPR protocol and it will be a "local" printer from a Windows perspective and will be available to all users of the PC.

If you are going to print directly to the printer just set:
       Host = IP address of the printer
       Port = raw  (for most normal laser printers)

If you are going to use an existing printer on an existing Windows print server, then the LPD Service will need to be loaded on the Windows print server.  Then set each PC to have an LPR printer set to:
       Host = DNS name or IP address of the print server
       Port = printer name on the print server
  No Domain authentication is required for LPR printing
0
 

Author Closing Comment

by:jskfan
ID: 39703466
Thank you Guys!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question