What is the easiest way to prevent a "guest" domain account from accessing basically anything but the internet in a active directory environment. I also need to block access to all servers from this account.
Any help would be greatly appreciated.
Thanks!
This conversation is currently closed to new comments.
Better still have a separate LAN for Guest Accounts which generally speaking is for WiFi Access so setup a WiFi Access Point for your guests not involved with the network.
I agree. Pay a little extra money to bring in a basic cable account and buy a cheap wireless router and you're all set. That's what our firm has done. Make the passphrase readily available to guests and you don't have to worry about your network being compromised.
That isn't what you asked and by your description I don't think it's going to work either.
They would just find a workstation not being used and log onto the Net with the already open User Account.
That's not a good idea and certainly leaves the company open the Legal Challenges if they enforce a Computer Use Policy and terminate a worker for breaching it. If that worker User Account can be used by anyone then it is obvious that Anyone did what that Worker was terminated for and there is no way to prove that the person terminated was responsible for the breach of policy.
Even worse here is one of the Guests could open something on the Net and infect the entire Network.
Neither is a good idea or good for business but some places have to learn the hard way.
The way I understand it, is that the issue is NOT to create or enable the Local Guest account but to enable guests to log onto the domain for the sole purpose of using internet resources.
Right? Well then.
Create a "guest-like" account with a secure password (e.g. domain_name_guest/domainguest1234), and add this account to a specific global security group in AD.
You can the use this GG to assign GPOs to point to specific RADIUS/IAS server/s for authentication to the internet only.
You can also kill three birds with one rock by locking the machines down using GPO computer startup scripts or user login scripts.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
User account lockdown
Any help would be greatly appreciated.
Thanks!