Solved

Generic user accounts in Active Directory

Posted on 2014-02-02
4
4,700 Views
Last Modified: 2014-02-12
We have a need for a generic user account that can be used on 5-10 lab desktop computers.  The lab computers are used by a bunch of employees to run various tests in our labs.  We tried using a local computer account but the engineers need access to server shares and it always asks for credentials, which means some of their private directories are vulnerable to other users.  For a variety of reasons, using individual user accounts doesn't work.  The IT policy at our company doesn't allow generic user accounts.  I don't know Windows 2008 server well enough, but is there any way to create a restricted user account in Active Directory, that we can somehow restrict logins onto these lab computers?  I think the concern in the IT department is that if there is a general user account where everyone knows the password, it will create a security hole, and I understand this.  I was just hoping there were some user account or group policy options that might be able to restrict this user account to certain machines.
0
Comment
Question by:jbobst
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
Venugopal N earned 250 total points
ID: 39827894
You can restrict the users to log on on specific computers by 2 ways.

1.Adding the computers list in " Log On To " properties of the user's account ,for which the user need to allow log on to the computers.
2.By using the GPO , Allow logon Locally to allow logon to the list of computers and deny logon Locally to deny the user to logon to the computers.

Refer the below link for steps and more info..

http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 250 total points
ID: 39829218
i would recommend that create a new group with the users individual domain accounts as members and then give that group permissions on those computers or shares.
the concern of your security team is valid so why not to use users existing domain accounts? also you can create some diff accounts for each user like _firstname.lastname then add them in a group and grant that group whatever access is needed.
0
 
LVL 1

Author Comment

by:jbobst
ID: 39829408
All my users already have rights to all the needed shares on the server so adding them additional groups wouldn't fix the problem.  The problem is, if user a goes to a lab computer, logs in as him/her self, the tests they run often take hours at a time, and other people are often working on the computer during the test, or after the test.  The other people working on the computer now have possible access to private folders to the person who first logged in.  In some cases a manager level person will be using the lab computer, and he will have access to shares (that even get mapped when he logs in) that other people don't.  We used to have a generic user account that had access to all the general company shares and this worked perfectly.  But with stricter IT controls, we no longer can have that general account.

This got me thinking though, can I give a local user account of the lab machines security rights to read and write in the shares on our Windows Server?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39829483
Nope unless ur existing windows domain has some kind of trust relationship with lab domain(if there is any domain in lab), it ca be one way as well to have better security.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Group policy update error 8 25
ADFS Redirection 4 30
Sweet32 Vulnerability in Microsoft IIS7.5 6 22
No login server available 4 15
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now