Problem statement: How can I support isolation of identities on a signle in-home network that supports both personal and business resources? I know the Windows NT servers have plenty of methods of restricting access to network resources, but I want to also differentiate personal users from work users at the user ID abstraction level, not just use ACLs to isolate resources.
I'm using Windows Small Business Server 2011 Standard
Caveat: In case it matters, I do NOT need remote access to the network (at least for a year or more), although I might want to enable Exchange remote web access for calendar and mail if I buy a static IP from my ISP or figure out OpenDNS solutions to remote access.
Failed Model: My first thought was to create two domains on one physical server. Knowing how domains work, this would have given me what I wanted. I would have two identities HOME\Daddy, WORK\Bob, and my wife (Sally) and kids would be WORK\Sally, HOME\Bill, HOME\Sue. We then have some personal (HOME) computers, some business (WORK) and some shared (either domain, but used for backup storage and dual-purpose shared data like music)
That idea was shot down with this article, where I learned one needs separate machines to control each domain. Multiple Domains on a Single Server. However, it introduced me to UPN, which might be an alternative
Obviously I don't want to incure the cost of two fully isolated networks. Plus the shared backup server would need dual-homed NICs. Ugh.
Justifications/Requirements/Goals: There are a few reasons for this:
1) My kids aren't employees, so I don't want thier activities, email, and other resources mixed with work. This is partly a mental convenience, and partly finaicial (e.g. IRS rules on mixed-use company assets)
2) It helps me avoid being identified accidentally as "Daddy" in company resources and not hand out business IDs in personal correspondence. (true story: Years ago I found my user id 'Daddy' on a Microsoft resource that I had checked in over RAS. My co-workers and I got a good laugh out of that, "Daddy fired off a build last night!")
3) In case you think I'm too cheap to pay for some cloud services solution via intermediary shared resources, yes. I have all this hardware to either send to the recylers or connect to a wire and reuse where they sit, so I figure I can learn some networking skills while saving money and the environment.
4) Added bonus (in case it affects my implementation details): I bought a pretty beefy server, so I might like to use the old hardware as thin clients and VMs on the server or other machines for actual user computing and experimentation. This variable should be moot, as I expect the VMs appear as just other machines on the network.
Open Issues: Here are the issues I can think of. I'm curious what others I don't know about, either making this more easy or more difficult.
- Issue 1
Will User Principal Name work for this? If so, can I "hide" to domain from the logon screen so people don't get confused by choices? I'm guessing the credentials would be Bob@work.com, Daddy@home.com, Sally@work.com, Billy@home.com, Suzy@home.com
- Issue 2
Does the UPN domain (work.com, home.com) have to be a real domain? It seems Windows isn't going outside my network to authenticate anyone, but I don't see how I can create work.com and home.com on my machine, either. Maybe it doesn't matter? Maybe I'm missing some implementation detail?
- Issue 3
How will visitors use my network on the home machines? I used to have Grandma and Grandpa logins. Can I just set up Grandma and Grandpa using thier real e-mails so their network use when visiting is seamless? (e.g. grandmaBee@gmail.com, grandpaJoe@hotmail.com) I'm hoping this works, b/c it implies I can grant access to my business resources for the company bookkeeper using her own business e-mail ID.
- Issue 4
It seems UPN will not help joining machines to the domain and isolating them. If false, how do I use UPN for that? If true, maybe it doesn't matter. I think I saw something that controls who has access to specific machines. If so, I think I just create a network group BusinessUsers and HomeUsers and grant the respective group access to the applicable machines, correct?
