Solved

Generic user accounts in Active Directory

Posted on 2014-02-02
4
5,278 Views
Last Modified: 2014-02-12
We have a need for a generic user account that can be used on 5-10 lab desktop computers.  The lab computers are used by a bunch of employees to run various tests in our labs.  We tried using a local computer account but the engineers need access to server shares and it always asks for credentials, which means some of their private directories are vulnerable to other users.  For a variety of reasons, using individual user accounts doesn't work.  The IT policy at our company doesn't allow generic user accounts.  I don't know Windows 2008 server well enough, but is there any way to create a restricted user account in Active Directory, that we can somehow restrict logins onto these lab computers?  I think the concern in the IT department is that if there is a general user account where everyone knows the password, it will create a security hole, and I understand this.  I was just hoping there were some user account or group policy options that might be able to restrict this user account to certain machines.
0
Comment
Question by:jbobst
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
Venugopal N earned 250 total points
ID: 39827894
You can restrict the users to log on on specific computers by 2 ways.

1.Adding the computers list in " Log On To " properties of the user's account ,for which the user need to allow log on to the computers.
2.By using the GPO , Allow logon Locally to allow logon to the list of computers and deny logon Locally to deny the user to logon to the computers.

Refer the below link for steps and more info..

http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 250 total points
ID: 39829218
i would recommend that create a new group with the users individual domain accounts as members and then give that group permissions on those computers or shares.
the concern of your security team is valid so why not to use users existing domain accounts? also you can create some diff accounts for each user like _firstname.lastname then add them in a group and grant that group whatever access is needed.
0
 
LVL 1

Author Comment

by:jbobst
ID: 39829408
All my users already have rights to all the needed shares on the server so adding them additional groups wouldn't fix the problem.  The problem is, if user a goes to a lab computer, logs in as him/her self, the tests they run often take hours at a time, and other people are often working on the computer during the test, or after the test.  The other people working on the computer now have possible access to private folders to the person who first logged in.  In some cases a manager level person will be using the lab computer, and he will have access to shares (that even get mapped when he logs in) that other people don't.  We used to have a generic user account that had access to all the general company shares and this worked perfectly.  But with stricter IT controls, we no longer can have that general account.

This got me thinking though, can I give a local user account of the lab machines security rights to read and write in the shares on our Windows Server?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39829483
Nope unless ur existing windows domain has some kind of trust relationship with lab domain(if there is any domain in lab), it ca be one way as well to have better security.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question