Domain computers with no specific user

active-directorydomain-controllerwindows-server-2008-r2

We have a Windows Server 2008R2 server which is running our domain.

We have around 40 users and around 30 computers. Most of the users have their own dedicated workstation, however around 5 of the computers get logged in by one person every morning and then everyone just uses their profile for the brief duration they need to check something (usually about 2 minutes at a time).

I was wondering if it is possible to have these 5 computers in their own OU on the domain and then somehow make them auto login to a generic user account that doesn't have any of the usual drive mappings etc.

Someone could power the machines on in the morning and they boot straight into a locked version of the usual user profile.

Is this possible?

Best Answer

Sure. You can do that.

Create the "generic" account and give it permission to whatever you need to. Set a password for the account and use Group Policy to make the autologon happen.

There isn't a stock Group Policy template to control autologon. A simple template would be something like:

CLASS MACHINE 

CATEGORY "System"
    CATEGORY "Logon"
        POLICY "Auto Logon"
            KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 
            VALUENAME "AutoAdminLogon" 
            VALUEON "1" 
            VALUEOFF "0"

            PART "Username" EDITTEXT 
                VALUENAME "DefaultUserName" 
            END PART 

            PART "Domain" EDITTEXT 
                VALUENAME "DefaultDomainName" 
            END PART 

            PART "Password" EDITTEXT 
                VALUENAME "DefaultPassword" 
            END PART
        END POLICY
    END CATEGORY ; "Logon"
END CATEGORY ; "System"

Save that in an ".ADM" file, create your OU and GPO linked to it, and edit the GPO. In the Group Policy editor you'll need to right-click "Administrative Templates" and "Add/Remove Templates" to add this template. You'll find these settings under "Classic Administrative Templates".

Bear in mind that this setting will "tattoo" the registry of the PCs you apply it to. When you move them out of the OU they'll retain the autologon settings. Either remove them via script or relocate the PCs to an an OU with an "evil anti-policy" GPO linked that has the autologon setting disabled to un-tattoo them.

If you want some specific Group Policy settings to apply to the generic user account be sure you put that user object in the proper location and give it the proper group memberships, etc.

Related Solutions

Different mandatory user profiles for WinXP & Win7

If you have roaming profiles enabled then WinXP and Win7 already save their profiles in separate folders by default, even though you've only got one folder specified in Active Directory. Windows 7 will quietly append a .V2 to the end of the folder name used by WinXP, and then use the .V2 version of the folder ignoring the other one, so for example:

Directory specified in Active Directory:

\\server\share\%username%

Directory actually used by XP:

\\server\share\%username%

Directory actually used by Windows 7:

\\server\share\%username%.V2

Have you creating the mandatory profile folder with .V2 in it to see if 7 will use that?

Disclaimer we don't use mandatory profiles, so this is a suggestion, rather than something I've tried.

Confusion over local user accounts and domain user accounts

Delete (or disable) all of the local user accounts on the computers. That way you'll ensure that users are using their AD account. Then you can use USMT to migrate the user's profile so that it's associated to their AD account instead of their local account.

As an aside, at no point should you know your users credentials. This is a bad way to operate, and doing so encourages credential sharing between users which obviously is not good.

Best Answer

Related Solutions

Different mandatory user profiles for WinXP & Win7

Confusion over local user accounts and domain user accounts

Related Topic