There are two common use cases for kiosk access to Active Directory self service. The first one is very straight forward, allow end users the ability to log in and update their Active Directory profile or search a corporate phone book. We have had the second one less often but often enough that we have taken notice: allow anonymous end users to create an Active Directory account at a kiosk.
The use case for the end user account creation is for partners, customers, temp workers, contractors, etc to be able to create their own accounts that will then grant them very limited access to resources on the network. Things like SharePoint access, phone books, order corporate schwag. Where we come in is that they can create the account and then update their contact information and find other employees.
There are some technical hurdles to overcome. Most often these kiosk users will be in a different forest so you have to be careful with trust relationships. You need very limited rights for a kiosk account to create accounts and only create accounts. You absolutely need workflow on that user creation. And you need a way to force them to update their information upon account creation (which is tricky given the lag time that can happen waiting for workflow approvals).
All of this is very achievable given a flexible enough web based Active Directory self service tool but to do it right you will need to manage all of the layers of security on it very closely. We recently built a pretty nice prototype, let us know if you want to see a demonstration of it in action.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.