• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 469
  • Last Modified:

allowing temporary users in the Network

allowing temporary users in the Network
We are in a windows domain environment.
we have some guests that we need to provide computers and let them use our existing wireless internet access, and also provide them with one Network printer.

these users will be in the company just for a week or 2

I wonder what is the best way to do that, without opening security breaches in our domain.?
Do we need just to create a temporary OU and block all polices inheritance at this OU level, and for the rest will consider them just as our domain users or we need to keep them away from the domain, I mean do not create their accounts in the domain, and just make them local Administrtors in their computers?


Thanks
0
jskfan
Asked:
jskfan
5 Solutions
 
Mike KlineCommented:
Are they bringing their own computers or are you providing them with PCs?  If they are company PCs then I'd create an OU and lock the PCs down and only give them what they need (IE and map that printer).  They shouldn't need access to anything else.

Some places have a separate "guest" network for wifi/printer access for guests.  If you have guests regularly it maybe something to consider.

Thanks

Mike
0
 
jskfanAuthor Commented:
we ''l provide them PCs and one Network printers.
we 'll provide them also our Wifi.
we do not want them to browse the network
we can let the domain password policy to be applied to them, no other policies..
0
 
jskfanAuthor Commented:
If they can login to the domain, then they can be either members of domain users or authenticated users. I am afraid either way they will be able to browse the network
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ReceptCommented:
Provided you don't apply permissions directly to 'Authenticated Users' or the 'Everyone' groups you can create a new security group and set that as their Primary Group then delete them from 'Domain Users'

http://technet.microsoft.com/en-us/library/dd861291.aspx
0
 
SandeshdubeySenior Server EngineerCommented:
By default domain users have read only access to OU unless you are assigning additional permission.You can create domain user account and place the guest users/computer in OU and apply the lockdown policy as per requirement.I will not recommend to add guest user account to local admin as this give additional righst like installing app/software,changing system setting,etc.

You can also create local user account for these guest and apply the lockdown policy locally if required choice is yours.See below links for more details.


http://blogs.technet.com/b/asiasupp/archive/2006/09/19/457423.aspx
http://www.howtogeek.com/111239/the-best-ways-to-lock-down-your-multi-user-computer/
http://www.techrepublic.com/article/lock-it-down-secure-your-desktops-with-windows-group-policy-editor/
http://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html
0
 
Pramod UbheCommented:
best way is to create local accounts for them on the computers and provide access to printer or you can attach that printer directly to one of their computer.

creating domain accounts will open so many doors for them and much more information can be accessed. In most of the cases i've seen all domain users have read access on AD (not sure how your env. is configured).

for internet access you should be able to have some rule configured for their IPs to allow/block websites as needed.
0
 
jskfanAuthor Commented:
pramod_ubhe:

it sounds simple way.
What about their  computers IPs, can they get DHCP IPs without being members of the domain ?

Regarding printers, I believe I can login as local Administrator and add the Network printer to their computers then logoff, and let them login...I wonder if those printers still appear when they login locally with their credentials?
0
 
Pramod UbheCommented:
Technically there should not be any issues with dhcp assigning IPs to those computers but you can use static IPs in case of any issues.

for printers, you need to map them while they are logged in with their credentials or map them using user account and then share it for everyone, also it depends on the permissions configured on printers e.g. allow print for everyone/authenticated users.
0
 
eerwaltersCommented:
I wouldn't join the PCs to the domain.  

You could setup the printer on the network and have them print to it directly or on a current print server, if desired.  Either way, just setup the printer using the LPR protocol and it will be a "local" printer from a Windows perspective and will be available to all users of the PC.

If you are going to print directly to the printer just set:
       Host = IP address of the printer
       Port = raw  (for most normal laser printers)

If you are going to use an existing printer on an existing Windows print server, then the LPD Service will need to be loaded on the Windows print server.  Then set each PC to have an LPR printer set to:
       Host = DNS name or IP address of the print server
       Port = printer name on the print server
  No Domain authentication is required for LPR printing
0
 
jskfanAuthor Commented:
Thank you Guys!
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now