5

We have quite a few laptops that are rarely, if ever, connected to the local LAN. Since they won't be able to contact a domain controller very often, having them joined to the domain doesn't work well - cached passwords eventually expire, new users can't login, etc.

Right now we handle it by leaving them as workgroup computers, with local accounts setup on them.

However, that means losing all group policy settings, remote control, software installation, inventorying from AD and all the other advantages that come from being part of the domain. Basically making my job a lot more difficult than I want it to be when it comes to update software or update our inventory.

How do others handle this?

  • Some of the laptops connect to our office wifi so should be able to talk to a DC, but don't seem to connect to wifi before a user logs in, so they still can't login.
  • Some laptops connect to other people's wifi. Is it possible to have them connect to the wireless and a VPN before the user logs in so it can talk to the DC?
  • Other laptops use a cellular internet stick, which requires a software client to connect, so probably can't connect before logging in. But will windows update their cached account passwords if they login, then connect to a VPN, so it can talk to the DC AFTER they have logged in?
  • Laptops are a 50/50 mix of Windows 7 and XP.

My current almost-solution is to have the laptop domain joined, and require the user to connect to the office network via ethernet cable once every few weeks. Which works, but not everyone will remember or be able to do that.

Grant
  • 17,859
  • 14
  • 72
  • 103
  • 3
    Have you looked into [DirectAccess](http://technet.microsoft.com/en-us/library/dd759144.aspx)? – jscott Aug 19 '13 at 13:49
  • @jscott I believe DirectAccess requires IPv6, and doesn't support XP, so won't work for us. Wish it would. – Grant Aug 19 '13 at 13:56
  • 1
    @Grant the clock is ticking on XP anyway. In just about a year it goes end-of-support. I'd strongly recommend beginning that migration process and looking toward a *modern* solution instead of being hamstrung by a 10 year old operating system. – MDMarra Aug 19 '13 at 14:03
  • @MDMarra believe me, I'm working as hard as the accountants will let me to get rid of the XP machines. Even if I ignore the XP machines (which I'm willing to do), the IPv6 requirement makes it a problem - no providers here offer IPv6, and even if I can get IPv6 on my end, the client end certainly won't have it. – Grant Aug 19 '13 at 14:06
  • 1
    Server 2012 Direct Access supported a 6-to-4 edge role to allow non-IPv6 endpoints to use DA. – MDMarra Aug 19 '13 at 14:11
  • @Grant: Why can't the users connect over VPN AFTER logging on with cached credentials? You are correct about DirectAccess though. Even without IPV6, DirectAccess would be far too ambitious given the current technology environment. – Greg Askew Aug 19 '13 at 14:32

2 Answers2

1

One common way of handling this is to start the VPN connection before user logon. For instance, the Cisco AnyConnect VPN client has this feature:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • I have the option of using the built in windows VPN to a Server2008r2 box, or Watchguard's VPN (the client doesn't support connecting before login as far as I can tell, but it is based on OpenVPN so perhaps an OpenVPN compatible client does have that feature) – Grant Aug 19 '13 at 13:58
1

Depending on the work they have to do inside the Domain, consider working with a Terminal Server, (or just a Host Inside your company Network).

They could even work with their private Hardware (if they want to) and you are in full control of the Terminal Server. Just give them access via VPN, or directly via RDP (if you have trust in Microsoft protocols :)

OpenVPN would also have a service feature where you could connect to a VPN an system startup. You could pare this with Certificate Authentication (unexportable from the certificate store) and a revocation list for NOT allowing users to connect anymore.

openvpn config needs to edited something like this:

ca "YOUR_CA.pem"
cryptoapicert "SUBJ:OpenVPN-Client"

the certificate (with a matching subject name) needs to be imported, inside the users certificate store (the user who starts up the openvpn service)

Daywalker
  • 495
  • 5
  • 25