If you are using AD, what I did for “external” users was create a security group named something like “Wildfire-Exclusive”, created domain accounts for the users, and added them to that group and whatever roster groups in which they belonged.
Then, at the root of my domain, I created a GPO with very restrictive settings that basically deny all executables and hides everything but the “Log off” and “Change Password” functions. In the security settings for the GPO, I removed “Authenticated Users” and added the “Wildfire-Exclusive” group, checking “Apply Group Policy”.
This way, if any users in the entire domain who are marked “Wildfire-Exclusive” manage to gain access to a machine somewhere, they will be limited to a very restricted environment. You could also go as far as going into the Domain Security Policy and denying the group rights to log on interactively and so forth.
This also works well if you have a decent terminal server, as it will enable them to change their own passwords.
yeah, i thought about that, but the trouble it caused for me was that the external users are already part of my domain, but they are remote users that use keyFOBs to login. (RSA keychains). basically, that makes those users passwords empty in AD. if i made another account for them in AD, it would require them to use a new user name. I wanted them to be able to keep they AD username and have a static password for this application. However, your solution may be what i have to do.