登录
 
主页技术资源库学习下载支持社区论坛
IT 专业人士的资源 >
Design: can I configure a user only to validate its password in AD and no additional resource access

Answered Design: can I configure a user only to validate its password in AD and no additional resource access

  • 2012年3月16日 15:19
     
     
    登录进行投票
    0

    Hi all,

    I've got a question from my colleagues to enable and configure "vistor" hotspot accounts via our Network Policy Server (Windows 2008 R2 Radius).
    The visitors are people from external companies, sales people, account people and so on, requiring internet access for their demo's, figures, ... and we offer a hotspot system, on which they can enter a user like guest23 with a password in a webpage to have internet access (similar to Hotels).

    Today the guests accounts are configured directly on the hotspot system, but it would be easier if these users were stored in our active directory and configured and password set by our helpdesk in the AD (delegated, they're already used to AD). We have an NPS server, so via Radius the connection between the hotspot system and AD is configurable.

    However, from security perspective, a user created in the AD automatically inherits a lot of rights in the Domain and its resources (like logging on to pc's, systems, services). We've created a dummy group in the past like "Non-Domain Users", and remove these users from the "domain users" default membership into "non-domain users". The only thing required here is password validation...

    Question:

     - Are there better ideas?
     - is the "Guests" or "Domain Guests" group in AD a good alternative (or better), and what default access comes with that?

    Regards,
    David.


     

全部回复

  • 2012年3月19日 19:34
     
     
    登录进行投票
    0

    I'd create a seperate OU for guests and lock that OU down to how you want it. GPO inheritance can be disaled for this OU and more restrictive measures put in place for these users.

     
  • 2012年3月21日 7:49
     
     
    登录进行投票
    0

    Thanks.

    However, many large companies have simmilar questions, I still wonder that there isn`t somekind of default you can enable for such logonids in your existing Active Directory. Another option is to add an additional domain for all kinds of these stuations (visitors, kiosks, external people, ...) but it is in many situations not efficient in managing an extra AD for this, also ours. (additional licenses required for your management software, complexity, etc...)

     
  • 2012年3月21日 10:13
     
     已答复
    登录进行投票
    0

    Hi David,
    I'm not sure whether I completely understand your requirement however I will try to answer it!

    Your scenario-
    Users = External
    Account location = AD
    Access required = only internet


    There could be few possibilities to achieve this-

    *First approach as you mentioned
    1) Create users
    2) Remove their default Domain Users membership
    3) Add these user accounts to a custom created security group
    4) Configure the security group to restrict access via group policy using user rights assignment to only allow using internet explorer.


    * Second approach would be to Loop Back group policy
    1) Configure loop-back group policy on kiosk/hotspot machines
    2) Allow access to only internet explorer

    Ref. articles-
    Windows Server: Understand “User Group Policy Loopback Processing Mode”
    http://social.technet.microsoft.com/wiki/contents/articles/windows-server-understand-user-group-policy-loopback-processing-mode.aspx

    Loopback processing of Group Policy
    http://support.microsoft.com/kb/231287


    * Third option could be to make use of TS RemoteApp feature with Windows 2008 server. With this you can configure internet explorer via TSApps as the console application. When users access the system they will directly launch internet explorer and nothing else. This will require additional hardware/efforts and could be a costly feature. But deepening on your environment you could chose on of these options.

    Ref article-
    TS RemoteApp Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc730673(v=ws.10).aspx


    HTH

    Best!
    Sachin Gadhave MCP,MCSA,MCTS

     
  • 2012年3月21日 10:35
    版主
     
     已答复
    登录进行投票
    0

    Instead, allowing external users to login to your domain, you can create separate proxy address which doesn't requires username and password to access internet when they connect their system to your network.

    The other way can be using guest account or create a new security group and give explicit access to that group.By default, all the domain users have read access to the Active directory and can query your AD because they are part of authenticated users group. You can disable users reading your AD information, but again you need to plan it carefully as steps taken wrongly can have side effects too.

    http://blogs.technet.com/b/askds/archive/2011/06/17/friday-mail-sack-gargamel-edition.aspx#listobject

    http://www.chrisse.se/MAQB.asp?ID=34

    http://technet.microsoft.com/en-us/library/cc535160.aspx

    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.