The Windows domain guest account is really cool. Every time it logs in, it creates a new profiles based on the default profile. Every time it logs out that profile is deleted. This is different behavior from the local guest account, which has limited permissions but does maintain its profile across logins.
The downside of the Windows domain guest account is that it is not a member of authenticated users, it can’t access the SYSVOL share, everywhere you go in Windows it is denied security access, and none of this is documented. (This could also be an upside, because it keeps viruses from doing nasty things.) One of the effects of all this restriction is that user group policies are not applies to the domain guest account. It doesn’t have enough security permissions to read them or run them.
These instructions are written for a very specific scenario, which is automatically connecting to a network printer and setting it as the default when the guest account logs in. Normally we would do this with group policy, but because that is out of our reach we have to get creative. These same tactics can also be applies to mapping network drives or just about any other task that can be accomplished with registry settings and batch files.
The first step is to create a batch file that adds the network printer and sets it as the default.
@Echo Off REM Add printer rundll32 printui.dll,PrintUIEntry /in /n"\\server\\printer name" REM Set printer as default rundll32 printui.dll,PrintUIEntry /y /n"\\server\printer name"
Save this file as
Set Default Printer.bat inside of the
The second step is to create a computer group policy to copy this file to each workstation. Computer Configuration, Preferences, Windows Settings, Files. Create a new file with the following settings:
Action: Replace (optional) Source File: \\server\netlogon\Set Default Printer.bat Destination File: C:\Set Default Printer.bat Under the Common tab, select "Remove this item when it is no longer applied." (optional)
Because this is a computer group policy, it will run in the context of the computer’s active directory account before the login prompt is presented.
The third step is to create a computer group policy to add a registry string to automatically run
Set Default Printer.bat whenever anyone logs in. Computer Configuration, Preferences, Windows Settings, Registry. Create a new registry item with the following settings:
Action: Replace (optional) Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value name: Set Default Printer Value type: REG_SZ Value data: "C:\Set Default Printer.bat" Under the Common tab, select "Remove this item when it is no longer applied." (optional)
Obviously, this is going to run for any user that logs on to the computer, so if it is used by both guests and normal users, and if you don’t want to perform these actions for normal users, you will have to do to extra steps to keep that from happening. One way to do this would be to create some type of logic in your batch file to detect if you are running as guest. I haven’t looked into how to do that, but I would assume it can be done.
This technique can be paired with modifying the default profile to create a finely tuned kiosk interface.