We also have to provide access to the public.
We have a stack of generic AD accounts ("LibGuest-##" -- currently 25 of them). They have unknown passwords and no active hours until someone at the Cicurlation desk clicks the "generate" button on a web page restricted to a range of IP addresses. That kicks off a PowerShell script that enables an available account for the next 8-9 hours, generates a random password, and prints a receipt containing a welcome message, the username/password and basic instructions. It's about 5 seconds between patron request to handing them a working set of unique, secure credentials. The accounts have a login script that will immediately kick them off if they attempt to log into machines with an IP address outside of our Main Library, but otherwise, they are not restricted as to which computers (which we mostly don't control) within the library they can log into.
Complicating things, we are a "M365 shop" but not Azure AD, so our MS Office installs must be authenticated/licensed per user (i.e. not per machine). This is a problem in the off-chance the same generic account happens to use the same computer and the first user logged into M365. Microsoft does not have a means of removing cached credentials (for Office or Teams, but there are some hacks that work for Teams). Thus, when a guest account has "expired" (i.e. are outside their active hours), a scheduled PowerShell script on the server will reset the password and put it in quarantine until any user profile is guaranteed to have been wiped (max of 48 hours) based on Group Policy settings and public workstation reboot schedules.
While it is somewhat complicated, it works well and was free. As an interesting bonus, the password is constructed from 2-3 random words, and the shocking, humorous and mind-bendingly prescient combinations that come out keep us entertained (and require a disclaimer to not read "hidden" messaging). Last year, I added some code to push requests to LibInsights which gives us interesting insights about guest account requests.
Erich
On Wednesday, September 25, 2024 at 11:20, Will Martin eloquently inscribed:
> All,
>
> I'm curious how you handle access for guests at your libraries.
>
> Here at UND, we've used a process for many years that involves issuing a
> guest account in the campus Active Directory server through NetIQ Access
> Manager (NAM), which is supplied by campus IT. But it has a lousy UI and
> doesn't work reliably. When it does work, it takes about 15 minutes for the
> account to become active. When it doesn't work - which is more often than
> not - the account never works at all. At that point we usually just have a staff
> member log in and let the patron use their account, which is not great.
>
> We're a depository library for the state and the federal government, so
> we're required to ensure that the public can access government documents.
> Which are, of course, increasingly digital these days.
>
> So we're looking for other ways to manage guest access. How do you all do it
> in your libraries?
>
> Will Martin
>
> Head of Digital Initiatives, Systems and Services
> Chester Fritz Library
> University of North Dakota
> he/his/him
>
> 701.777.4638
|
