How to Let Guests Use VPN

[Baboon]

We have some lab type XP machines where the users need to make a VPN
connection. The users log on using domain accounts, but it is desired that
the users not leave behind profiles. To solve this problem we used the old
trick of adding the Domain Users group to the local Guests group on the
machines.

The problem:
I see that Guests apparently are not allowed to use VPN connections. This
includes ones that Adminstrators create for all users. Does anyone know of a
way around this?

Thanks.

 

[Mervyn Zhang [MSFT]]

Hi,

Thank you for posting here.

According to your description, I understand that:

Some users need to use VPN but you wouldn't like them to leave profile on
XP clients. You have tried to add them to Guests group but guest cannot use
VPN.

If I have misunderstood the problem, please don't hesitate to let me know.

We can use roaming profiles for those user and enable "Delete cached copies
of roaming profiles" to solve this issue.

1. Active Directory Users and Computers, right-click the account you would
like to configure, choose Properties, switch to Profile tab, configure
profile accordingly.
2. Open GPMC.MSC, find the GPO for Windows XP clients or create a new GPO
for Windows XP clients, choose to Edit it. Navigate to the following
location:

[Computer Configuration \ Administrative Templates \ System \ User
Profiles]

Double-click "Delete cached copies of roaming profiles", click Enable.
3. Run "gpupdate /force" and server and restart the clients to test.


For more information about Roaming User Profiles, please refer to the
following article.

Configuring Roaming User Profiles
http://technet.microsoft.com/en-us/library/cc738596.aspx

Implementing Roaming User Profiles
http://technet.microsoft.com/en-us/library/cc784961.aspx

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Baboon]

Thanks for the reply.

We cannot use roaming profiles as a solution. There is no server space
available for the profiles. Also, it would be too difficult to keep track of
who uses these particular computers.

I was hoping there was a way to allow Guests to use VPN connections.

Cheers.

 

[Mervyn Zhang [MSFT]]

Hi,

Thank you for your update. I understand there is not server space available
for the profile and you wouldn't like to use Roaming Profile.

However, I would like to explain that it's strongly suggested not to use
Guest account as a solution. If you enable Guest account, there will be a
big security risk because an unauthorized user could gain anonymous access
to the system through this account. Moreover, if you add Domain User group
to Guest Group, there will be many potential permission issues and
compatible issues due to the limitation on Guest account.

Membership in the Guests group should only be granted to users who are
intended to be guests on a computer or in a domain. It should never be
granted to regular users. Guest accounts are not meant for users who have
data and need to log on and off domains often. By intent, guests are people
who may need to log to on a domain for a specific reason and then log off,
but they do not stay or use the system for an extended time. If users log
on to a domain frequently enough that they would want to customize a
desktop and keep data on it, they are not guests; they should be considered
users, and should no longer be part of the Guests group.

Actually, the most recommended way to meet the requirement is to configure
user to use roaming profile and enable the "Delete cached copies of roaming
profiles" group policy. I understand that you do not have enough storage to
store roaming profiles. In this situation, you may consider creating a
schedule task to shutdown clients periodically; meanwhile, you can
configure a computer shutdown script to delete user profiles. To delete a
user profile, you may use the DelProf.exe tool as described in the
following links:

User Profile Deletion Utility (Delprof.exe)
http://www.microsoft.com/DownLoads/details.aspx?FamilyID=901a9b95-6063-4462-
8150-360394e98e1e&displaylang=en
How To Delete User Profiles by Using the User Profile Deletion Utility
(Delprof.exe) in Windows 2000
http://support.microsoft.com/kb/315411

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.