Solved

allowing temporary users in the Network

Posted on 2013-12-03
10
443 Views
Last Modified: 2013-12-07
allowing temporary users in the Network
We are in a windows domain environment.
we have some guests that we need to provide computers and let them use our existing wireless internet access, and also provide them with one Network printer.

these users will be in the company just for a week or 2

I wonder what is the best way to do that, without opening security breaches in our domain.?
Do we need just to create a temporary OU and block all polices inheritance at this OU level, and for the rest will consider them just as our domain users or we need to keep them away from the domain, I mean do not create their accounts in the domain, and just make them local Administrtors in their computers?


Thanks
0
Comment
Question by:jskfan
10 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
Comment Utility
Are they bringing their own computers or are you providing them with PCs?  If they are company PCs then I'd create an OU and lock the PCs down and only give them what they need (IE and map that printer).  They shouldn't need access to anything else.

Some places have a separate "guest" network for wifi/printer access for guests.  If you have guests regularly it maybe something to consider.

Thanks

Mike
0
 

Author Comment

by:jskfan
Comment Utility
we ''l provide them PCs and one Network printers.
we 'll provide them also our Wifi.
we do not want them to browse the network
we can let the domain password policy to be applied to them, no other policies..
0
 

Author Comment

by:jskfan
Comment Utility
If they can login to the domain, then they can be either members of domain users or authenticated users. I am afraid either way they will be able to browse the network
0
 
LVL 5

Assisted Solution

by:Recept
Recept earned 50 total points
Comment Utility
Provided you don't apply permissions directly to 'Authenticated Users' or the 'Everyone' groups you can create a new security group and set that as their Primary Group then delete them from 'Domain Users'

http://technet.microsoft.com/en-us/library/dd861291.aspx
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 50 total points
Comment Utility
By default domain users have read only access to OU unless you are assigning additional permission.You can create domain user account and place the guest users/computer in OU and apply the lockdown policy as per requirement.I will not recommend to add guest user account to local admin as this give additional righst like installing app/software,changing system setting,etc.

You can also create local user account for these guest and apply the lockdown policy locally if required choice is yours.See below links for more details.


http://blogs.technet.com/b/asiasupp/archive/2006/09/19/457423.aspx
http://www.howtogeek.com/111239/the-best-ways-to-lock-down-your-multi-user-computer/
http://www.techrepublic.com/article/lock-it-down-secure-your-desktops-with-windows-group-policy-editor/
http://www.pcworld.com/article/243290/how_to_lock_down_your_wireless_network.html
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 175 total points
Comment Utility
best way is to create local accounts for them on the computers and provide access to printer or you can attach that printer directly to one of their computer.

creating domain accounts will open so many doors for them and much more information can be accessed. In most of the cases i've seen all domain users have read access on AD (not sure how your env. is configured).

for internet access you should be able to have some rule configured for their IPs to allow/block websites as needed.
0
 

Author Comment

by:jskfan
Comment Utility
pramod_ubhe:

it sounds simple way.
What about their  computers IPs, can they get DHCP IPs without being members of the domain ?

Regarding printers, I believe I can login as local Administrator and add the Network printer to their computers then logoff, and let them login...I wonder if those printers still appear when they login locally with their credentials?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
Comment Utility
Technically there should not be any issues with dhcp assigning IPs to those computers but you can use static IPs in case of any issues.

for printers, you need to map them while they are logged in with their credentials or map them using user account and then share it for everyone, also it depends on the permissions configured on printers e.g. allow print for everyone/authenticated users.
0
 
LVL 7

Accepted Solution

by:
eerwalters earned 175 total points
Comment Utility
I wouldn't join the PCs to the domain.  

You could setup the printer on the network and have them print to it directly or on a current print server, if desired.  Either way, just setup the printer using the LPR protocol and it will be a "local" printer from a Windows perspective and will be available to all users of the PC.

If you are going to print directly to the printer just set:
       Host = IP address of the printer
       Port = raw  (for most normal laser printers)

If you are going to use an existing printer on an existing Windows print server, then the LPD Service will need to be loaded on the Windows print server.  Then set each PC to have an LPR printer set to:
       Host = DNS name or IP address of the print server
       Port = printer name on the print server
  No Domain authentication is required for LPR printing
0
 

Author Closing Comment

by:jskfan
Comment Utility
Thank you Guys!
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now