Design: can I configure a user only to validate its password in AD and no additional resource access
I've got a question from my colleagues to enable and configure "vistor" hotspot accounts via our Network Policy Server (Windows 2008 R2 Radius).
The visitors are people from external companies, sales people, account people and so on, requiring internet access for their demo's, figures, ... and we offer a hotspot system, on which they can enter a user like guest23 with a password in a webpage to have internet access (similar to Hotels).
Today the guests accounts are configured directly on the hotspot system, but it would be easier if these users were stored in our active directory and configured and password set by our helpdesk in the AD (delegated, they're already used to AD). We have an NPS server, so via Radius the connection between the hotspot system and AD is configurable.
However, from security perspective, a user created in the AD automatically inherits a lot of rights in the Domain and its resources (like logging on to pc's, systems, services). We've created a dummy group in the past like "Non-Domain Users", and remove these users from the "domain users" default membership into "non-domain users". The only thing required here is password validation...
- Are there better ideas?
- is the "Guests" or "Domain Guests" group in AD a good alternative (or better), and what default access comes with that?
I'd create a seperate OU for guests and lock that OU down to how you want it. GPO inheritance can be disaled for this OU and more restrictive measures put in place for these users.
However, many large companies have simmilar questions, I still wonder that there isn`t somekind of default you can enable for such logonids in your existing Active Directory. Another option is to add an additional domain for all kinds of these stuations (visitors, kiosks, external people, ...) but it is in many situations not efficient in managing an extra AD for this, also ours. (additional licenses required for your management software, complexity, etc...)
I'm not sure whether I completely understand your requirement however I will try to answer it!
Users = External
Account location = AD
Access required = only internet
There could be few possibilities to achieve this-
*First approach as you mentioned
1) Create users
2) Remove their default Domain Users membership
3) Add these user accounts to a custom created security group
4) Configure the security group to restrict access via group policy using user rights assignment to only allow using internet explorer.
* Second approach would be to Loop Back group policy
1) Configure loop-back group policy on kiosk/hotspot machines
2) Allow access to only internet explorer
Windows Server: Understand “User Group Policy Loopback Processing Mode”
Loopback processing of Group Policy
* Third option could be to make use of TS RemoteApp feature with Windows 2008 server. With this you can configure internet explorer via TSApps as the console application. When users access the system they will directly launch internet explorer and nothing else. This will require additional hardware/efforts and could be a costly feature. But deepening on your environment you could chose on of these options.
TS RemoteApp Step-by-Step Guide
Sachin Gadhave MCP,MCSA,MCTS
Instead, allowing external users to login to your domain, you can create separate proxy address which doesn't requires username and password to access internet when they connect their system to your network.
The other way can be using guest account or create a new security group and give explicit access to that group.By default, all the domain users have read access to the Active directory and can query your AD because they are part of authenticated users group. You can disable users reading your AD information, but again you need to plan it carefully as steps taken wrongly can have side effects too.
Awinish Vishwakarma - MVP-DSMy Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- 已标记为答案 David Burghgraeve 2012年3月22日 11:58