User account lockdown

By hellofellow ·
What is the easiest way to prevent a "guest" domain account from accessing basically anything but the internet in a active directory environment. I also need to block access to all servers from this account.

Any help would be greatly appreciated.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Easy answer here

by OH Smeg Moderator In reply to User account lockdown

Is to not join the Guest Account tot he Domain.

Better still have a separate LAN for Guest Accounts which generally speaking is for WiFi Access so setup a WiFi Access Point for your guests not involved with the network.


Collapse -

This isnt going to work

by hellofellow In reply to Easy answer here

Then I would have to go around and enable the guest account on every pc and there is no wifi available currently.

Collapse -

Setup a separate wireless account

by justwippet In reply to This isnt going to work

I agree. Pay a little extra money to bring in a basic cable account and buy a cheap wireless router and you're all set. That's what our firm has done. Make the passphrase readily available to guests and you don't have to worry about your network being compromised.

Collapse -

So you want a Guest Account on every computer?

by OH Smeg Moderator In reply to This isnt going to work

That isn't what you asked and by your description I don't think it's going to work either.

They would just find a workstation not being used and log onto the Net with the already open User Account.

That's not a good idea and certainly leaves the company open the Legal Challenges if they enforce a Computer Use Policy and terminate a worker for breaching it. If that worker User Account can be used by anyone then it is obvious that Anyone did what that Worker was terminated for and there is no way to prove that the person terminated was responsible for the breach of policy.

Even worse here is one of the Guests could open something on the Net and infect the entire Network.

Neither is a good idea or good for business but some places have to learn the hard way.


Collapse -

log on to

by Jacques.Gordon In reply to User account lockdown

How about using "log on to" rules and set up only one computer that they can log on to that has very limited internet only access.

Collapse -

They need more flexibility

by hellofellow In reply to log on to

THe business likes to be able to use any open computer the is available if need be for visitors.

I believe I may have figured out the shared drive issue using group policy and im hoping I can lock down the servers a little better the same way.

Collapse -

proxy server

by Jacques.Gordon In reply to They need more flexibilit ...

How about moving the guest account to a new OU and apply a GPO that forces them to use a proxy server that blocks everything except port 80?

Collapse -

I think everyone is getting kinda confused...

The way I understand it, is that the issue is NOT to create or enable the Local Guest account but to enable guests to log onto the domain for the sole purpose of using internet resources.

Right? Well then.

Create a "guest-like" account with a secure password (e.g. domain_name_guest/domainguest1234), and add this account to a specific global security group in AD.

You can the use this GG to assign GPOs to point to specific RADIUS/IAS server/s for authentication to the internet only.

You can also kill three birds with one rock by locking the machines down using GPO computer startup scripts or user login scripts.

Collapse -

Why not simply

by IC-IT In reply to User account lockdown

Add a limited account Local user. They will have Internet but not Intranet access.

Related Discussions

Related Forums