Domain computers with no specific user?
We have a Windows Server 2008R2 server which is running our domain.
We have around 40 users and around 30 computers. Most of the users have their own dedicated workstation, however around 5 of the computers get logged in by one person every morning and then everyone just uses their profile for the brief duration they need to check something (usually about 2 minutes at a time).
I was wondering if it is possible to have these 5 computers in their own OU on the domain and then somehow make them auto login to a generic user account that doesn't have any of the usual drive mappings etc.
Someone could power the machines on in the morning and they boot straight into a locked version of the usual user profile.
Is this possible?
Sure. You can do that.
Create the "generic" account and give it permission to whatever you need to. Set a password for the account and use Group Policy to make the autologon happen.
There isn't a stock Group Policy template to control autologon. A simple template would be something like:
CLASS MACHINE
CATEGORY "System"
CATEGORY "Logon"
POLICY "Auto Logon"
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
VALUENAME "AutoAdminLogon"
VALUEON "1"
VALUEOFF "0"
PART "Username" EDITTEXT
VALUENAME "DefaultUserName"
END PART
PART "Domain" EDITTEXT
VALUENAME "DefaultDomainName"
END PART
PART "Password" EDITTEXT
VALUENAME "DefaultPassword"
END PART
END POLICY
END CATEGORY ; "Logon"
END CATEGORY ; "System"
Save that in an ".ADM" file, create your OU and GPO linked to it, and edit the GPO. In the Group Policy editor you'll need to right-click "Administrative Templates" and "Add/Remove Templates" to add this template. You'll find these settings under "Classic Administrative Templates".
Bear in mind that this setting will "tattoo" the registry of the PCs you apply it to. When you move them out of the OU they'll retain the autologon settings. Either remove them via script or relocate the PCs to an an OU with an "evil anti-policy" GPO linked that has the autologon setting disabled to un-tattoo them.
If you want some specific Group Policy settings to apply to the generic user account be sure you put that user object in the proper location and give it the proper group memberships, etc.
It is possible. Create an OU for the computers, move the computers to the OU, create the generic user account in the OU, create a GPO for the OU and link it to the OU, set the appropriate computer and user settings in the OU, and set the neccessary registry information on the computers to automatically login the generic user.
If you don't want higher level GPO settings applied to the OU then you can block inheritance on the new OU. You could also use GPO security Filtering on the higher level OU's to apply them to a group that contains everything but the generic user and the 5 computers, but it's safer and less cumbersome to block inheritance on the specific OU.