[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Generic user accounts in Active Directory

Posted on 2014-02-02
4
Medium Priority
?
6,048 Views
Last Modified: 2014-02-12
We have a need for a generic user account that can be used on 5-10 lab desktop computers.  The lab computers are used by a bunch of employees to run various tests in our labs.  We tried using a local computer account but the engineers need access to server shares and it always asks for credentials, which means some of their private directories are vulnerable to other users.  For a variety of reasons, using individual user accounts doesn't work.  The IT policy at our company doesn't allow generic user accounts.  I don't know Windows 2008 server well enough, but is there any way to create a restricted user account in Active Directory, that we can somehow restrict logins onto these lab computers?  I think the concern in the IT department is that if there is a general user account where everyone knows the password, it will create a security hole, and I understand this.  I was just hoping there were some user account or group policy options that might be able to restrict this user account to certain machines.
0
Comment
Question by:jbobst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
Venugopal N earned 1000 total points
ID: 39827894
You can restrict the users to log on on specific computers by 2 ways.

1.Adding the computers list in " Log On To " properties of the user's account ,for which the user need to allow log on to the computers.
2.By using the GPO , Allow logon Locally to allow logon to the list of computers and deny logon Locally to deny the user to logon to the computers.

Refer the below link for steps and more info..

http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 1000 total points
ID: 39829218
i would recommend that create a new group with the users individual domain accounts as members and then give that group permissions on those computers or shares.
the concern of your security team is valid so why not to use users existing domain accounts? also you can create some diff accounts for each user like _firstname.lastname then add them in a group and grant that group whatever access is needed.
0
 
LVL 1

Author Comment

by:jbobst
ID: 39829408
All my users already have rights to all the needed shares on the server so adding them additional groups wouldn't fix the problem.  The problem is, if user a goes to a lab computer, logs in as him/her self, the tests they run often take hours at a time, and other people are often working on the computer during the test, or after the test.  The other people working on the computer now have possible access to private folders to the person who first logged in.  In some cases a manager level person will be using the lab computer, and he will have access to shares (that even get mapped when he logs in) that other people don't.  We used to have a generic user account that had access to all the general company shares and this worked perfectly.  But with stricter IT controls, we no longer can have that general account.

This got me thinking though, can I give a local user account of the lab machines security rights to read and write in the shares on our Windows Server?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39829483
Nope unless ur existing windows domain has some kind of trust relationship with lab domain(if there is any domain in lab), it ca be one way as well to have better security.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question