HR has asked me to set up a machine or laptop for potential candidates to use during job interviews to create a sample application. The account used by the candidates should automatically delete any data they create on the local machine after they log out. The account should not have local administrator privileges, and should not be able to install new applications. However, the account should be able to access the applications already installed on the system, and potentially a specific network location where the candidate can store their work for review or in case of a system crash.
I believe I have seen temporary accounts like this in a Windows environment before, but I am unable to find reliable documentation on how to create one. I am curious if this is a per-machine setting or if it can be defined via Group Policy Objects (GPOs), which would make it easier to replace the machine or laptop in the future.
Although there is a “guest” account in Windows, it does not automatically delete data created by the user. Additionally, it may be difficult to set up access to a network location for a guest account.
3 Answers
Introduction
Setting up a temporary Windows account is a common requirement in many organizations. It is often needed for job interviews, training sessions, or other situations where a user needs temporary access to a Windows machine or laptop. In this blog post, we will discuss how to set up a temporary Windows account that automatically deletes user data after the user logs out. We will also cover how to restrict the account’s privileges, and how to provide access to specific applications and network locations.
Creating a Temporary Windows Account
To create a temporary Windows account, you can use the built-in “Guest” account feature in Windows. However, as mentioned earlier, the Guest account does not automatically delete user data. Therefore, we need to create a custom account that meets our requirements.
The easiest way to create a temporary account is to use the “net user” command in Windows Command Prompt. Here are the steps:
1. Open Command Prompt as an administrator.
2. Type the following command: “net user
3. Press Enter to create the account.
This command creates a user account with the specified username and an expiration date. When the expiration date is reached, the account is automatically disabled and can no longer be used.
Restricting Account Privileges
By default, the account created using the “net user” command has limited privileges. However, you may want to further restrict the account to prevent the user from installing new applications or changing system settings.
To restrict the account, you can use the built-in “Local Users and Groups” feature in Windows. Here are the steps:
1. Open the “Local Users and Groups” console by typing “lusrmgr.msc” in the Windows search bar and pressing Enter.
2. In the console, navigate to “Users”.
3. Right-click on the temporary account and select “Properties”.
4. In the “Properties” window, go to the “Member Of” tab.
5. Click the “Add” button and enter the name of a group you want the user to be a member of. For example, you can add the “Users” group to give the user basic privileges on the machine.
6. Click “OK” to save the changes.
You can repeat steps 5 and 6 to add more groups as needed. By default, the temporary account should not be a member of any groups that grant administrator privileges.
Accessing Applications and Network Locations
Once the temporary account is created and its privileges are restricted, you may want to provide access to specific applications and network locations. Here are some ways to do this:
1. Applications: To provide access to specific applications, you can create shortcuts on the desktop or in the Start menu for the temporary account. To do this, log in to the temporary account, navigate to the desired application, right-click on its icon, and select “Create Shortcut”. Then, move the shortcut to the desktop or Start menu folder. When the user logs in to the temporary account, they will see the shortcut and be able to launch the application.
2. Network Locations: To provide access to a network location, you can create a shared folder on the network and grant the temporary account permission to access it. To do this, right-click on the folder, select “Properties”, go to the “Sharing” tab, and click “Advanced Sharing”. In the “Advanced Sharing” window, click “Permissions” and add the temporary account to the list of users. Then, grant the account the desired level of access (e.g., Read, Write, or Full Control). When the user logs in to the temporary account, they can navigate to the shared folder and access its contents.
Defining the Settings via Group Policy Objects (GPOs)
If you want to set up a temporary account on multiple machines or laptops, it may be more efficient to define the settings via Group Policy Objects (GPOs). GPOs are a powerful feature of Windows that allow you to centrally manage settings across multiple machines.
To define the settings via GPOs, you can use the Group Policy Management Console (GPMC) in Windows. Here are the steps:
1. Install the GPMC on a domain controller or a machine that has the Remote Server Administration Tools (RSAT) installed.
2. Open the GPMC and create a new GPO.
3. Edit the GPO and navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Local Policies” > “User Rights Assignment”.
4. Double-click on “Deny log on locally” and add the name of the temporary account to the list of users. This prevents the user from logging in to the machine locally (i.e., at the physical console).
5. Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Restricted Groups”.
6. Right-click on “Restricted Groups” and select “Add Group”.
7. In the “This group is a member of” section, add the names of the groups you want the user to be a member of (e.g., Users).
8. In the “Members of this group” section, add the name of the temporary account.
9. Click “OK” to save the changes.
10. Navigate to “User Configuration” > “Preferences” > “Windows Settings” > “Shortcuts”.
11. Right-click on “Shortcuts” and select “New” > “Shortcut”.
12. Fill in the details for the shortcut (e.g., the path to the application) and select “Desktop” or “Start Menu” as the location.
13. In the “Common” tab, select “Run in logged-on user’s security context”.
14. Click “OK” to save the shortcut.
These steps define the settings for the temporary account via GPOs. To apply the GPO to a machine or laptop, you can link the GPO to an Active Directory container (e.g., an OU) that contains the machine or laptop. When the machine or laptop applies the GPO, the settings will be enforced for the temporary account.
Conclusion
In this blog post, we discussed how to set up a temporary Windows account that automatically deletes user data after the user logs out. We also covered how to restrict the account’s privileges, and how to provide access to specific applications and network locations. Finally, we discussed how to define the settings via Group Policy Objects (GPOs) to efficiently set up temporary accounts on multiple machines or laptops. By following these steps, you can create a secure and efficient temporary account for job interviews, training sessions, or other situations where temporary access is required.
There are a few different ways to set up a temporary Windows account that will “clean” itself after the user logs off:
- Create a local user account and configure it to use a temporary profile. When the user logs off, the system will delete the profile, including any changes made to the local machine during the user’s session. To set this up, follow these steps:
- Open the Control Panel and go to the “User Accounts” section.
- Click the “Manage user accounts” link.
- Click the “Add” button and follow the prompts to create a new local user account.
- Once the account is created, right-click on it and select “Properties”.
- In the “Profile” tab, select the option to “Use the following profile path” and enter a path to a folder on the local machine (e.g. C:\Temp).
- Click “OK” to save the changes.
- Use the Group Policy Object (GPO) to create a mandatory profile for the temporary user account. A mandatory profile is a special type of profile that is read-only, so any changes made to the local machine during the user’s session will not be saved. To set this up, follow these steps:
- Create a local user account as described above.
- Create a new folder on the local machine (e.g. C:\Temp) and set the permissions so that the temporary user account has read/write access.
- Use the Group Policy Management Console (GPMC) to create a new GPO and link it to the appropriate Organizational Unit (OU) containing the temporary user account.
- Edit the GPO and go to the “User Configuration” -> “Windows Settings” -> “Folder Redirection” node.
- Right-click on the “Application Data” folder and select “Properties”.
- In the “Target” tab, select the option to “Create a folder for each user under the root path” and enter the path to the folder you created above (e.g. C:\Temp).
- Click “OK” to save the changes.
- Use a third-party solution, such as Deep Freeze or Time Freeze, to automatically reset the local machine to its original state after the user logs off. These types of tools allow you to specify which changes should be persisted and which should be reset, so you can configure them to retain only the apps that are installed on the system and reset everything else.
I hope this information is helpful! Let me know if you have any other questions.
Since I don’t have enough reputation to leave a comment, I’ll provide my suggestion as an answer instead. My suggestion is that you investigate Shared PC mode, as it may be precisely what you require.