?
Solved

Generic user accounts in Active Directory

Posted on 2014-02-02
4
Medium Priority
?
5,809 Views
Last Modified: 2014-02-12
We have a need for a generic user account that can be used on 5-10 lab desktop computers.  The lab computers are used by a bunch of employees to run various tests in our labs.  We tried using a local computer account but the engineers need access to server shares and it always asks for credentials, which means some of their private directories are vulnerable to other users.  For a variety of reasons, using individual user accounts doesn't work.  The IT policy at our company doesn't allow generic user accounts.  I don't know Windows 2008 server well enough, but is there any way to create a restricted user account in Active Directory, that we can somehow restrict logins onto these lab computers?  I think the concern in the IT department is that if there is a general user account where everyone knows the password, it will create a security hole, and I understand this.  I was just hoping there were some user account or group policy options that might be able to restrict this user account to certain machines.
0
Comment
Question by:jbobst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
Venugopal N earned 1000 total points
ID: 39827894
You can restrict the users to log on on specific computers by 2 ways.

1.Adding the computers list in " Log On To " properties of the user's account ,for which the user need to allow log on to the computers.
2.By using the GPO , Allow logon Locally to allow logon to the list of computers and deny logon Locally to deny the user to logon to the computers.

Refer the below link for steps and more info..

http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/
0
 
LVL 10

Assisted Solution

by:Pramod Ubhe
Pramod Ubhe earned 1000 total points
ID: 39829218
i would recommend that create a new group with the users individual domain accounts as members and then give that group permissions on those computers or shares.
the concern of your security team is valid so why not to use users existing domain accounts? also you can create some diff accounts for each user like _firstname.lastname then add them in a group and grant that group whatever access is needed.
0
 
LVL 1

Author Comment

by:jbobst
ID: 39829408
All my users already have rights to all the needed shares on the server so adding them additional groups wouldn't fix the problem.  The problem is, if user a goes to a lab computer, logs in as him/her self, the tests they run often take hours at a time, and other people are often working on the computer during the test, or after the test.  The other people working on the computer now have possible access to private folders to the person who first logged in.  In some cases a manager level person will be using the lab computer, and he will have access to shares (that even get mapped when he logs in) that other people don't.  We used to have a generic user account that had access to all the general company shares and this worked perfectly.  But with stricter IT controls, we no longer can have that general account.

This got me thinking though, can I give a local user account of the lab machines security rights to read and write in the shares on our Windows Server?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39829483
Nope unless ur existing windows domain has some kind of trust relationship with lab domain(if there is any domain in lab), it ca be one way as well to have better security.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question