Solved

Generic user accounts in Active Directory

Posted on 2014-02-02
4
5,407 Views
Last Modified: 2014-02-12
We have a need for a generic user account that can be used on 5-10 lab desktop computers.  The lab computers are used by a bunch of employees to run various tests in our labs.  We tried using a local computer account but the engineers need access to server shares and it always asks for credentials, which means some of their private directories are vulnerable to other users.  For a variety of reasons, using individual user accounts doesn't work.  The IT policy at our company doesn't allow generic user accounts.  I don't know Windows 2008 server well enough, but is there any way to create a restricted user account in Active Directory, that we can somehow restrict logins onto these lab computers?  I think the concern in the IT department is that if there is a general user account where everyone knows the password, it will create a security hole, and I understand this.  I was just hoping there were some user account or group policy options that might be able to restrict this user account to certain machines.
0
Comment
Question by:jbobst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
Venugopal N earned 250 total points
ID: 39827894
You can restrict the users to log on on specific computers by 2 ways.

1.Adding the computers list in " Log On To " properties of the user's account ,for which the user need to allow log on to the computers.
2.By using the GPO , Allow logon Locally to allow logon to the list of computers and deny logon Locally to deny the user to logon to the computers.

Refer the below link for steps and more info..

http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 250 total points
ID: 39829218
i would recommend that create a new group with the users individual domain accounts as members and then give that group permissions on those computers or shares.
the concern of your security team is valid so why not to use users existing domain accounts? also you can create some diff accounts for each user like _firstname.lastname then add them in a group and grant that group whatever access is needed.
0
 
LVL 1

Author Comment

by:jbobst
ID: 39829408
All my users already have rights to all the needed shares on the server so adding them additional groups wouldn't fix the problem.  The problem is, if user a goes to a lab computer, logs in as him/her self, the tests they run often take hours at a time, and other people are often working on the computer during the test, or after the test.  The other people working on the computer now have possible access to private folders to the person who first logged in.  In some cases a manager level person will be using the lab computer, and he will have access to shares (that even get mapped when he logs in) that other people don't.  We used to have a generic user account that had access to all the general company shares and this worked perfectly.  But with stricter IT controls, we no longer can have that general account.

This got me thinking though, can I give a local user account of the lab machines security rights to read and write in the shares on our Windows Server?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39829483
Nope unless ur existing windows domain has some kind of trust relationship with lab domain(if there is any domain in lab), it ca be one way as well to have better security.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question