1

I am thinking of implementing Single Sign-On for a whole company.

PROBLEM: Some employees of that company need to be able to work offline, without having to switch user/environment.

Is there any trick to make both compatible?
While normally using SSO, is there any magic trick to continue working offline, at least for a few days or so?
If there is absolutely no way to ever achieve this, please post an answer saying so, thank you!

Allowing such employees to stay away from SSO is risky: They won't be able to use some company services, or alternatively some hard-to-maintain tricks will have to be implemented to allow both SSO and non-SSO.

Technologies: Latest Active Directory (others can be considered), Windows, Mac.

Reaces
  • 5,597
  • 4
  • 38
  • 46
Nicolas Raoul
  • 1,334
  • 7
  • 22
  • 43

1 Answers1

3

By default, Active Directory will allow users to sign into their Windows machines while the Domain Controller cannot be reached, with the last password known to the computer in question. Once the domain controller is contactable, the client machine will check to see if any passwords for its users have changed.

The only problem with this is that the client computer will only keep the passwords of users which have previously logged into the computer while the domain controller is available. It will not hold all passwords for the entire domain, just those users which it knows exist.

See Disable Logon to Windows Computers When Not Connected to a Domain for more info on how to disable this setting (it is enabled by default).

Nicolas Raoul
  • 1,334
  • 7
  • 22
  • 43
John Cave
  • 318
  • 1
  • 2
  • 7
  • @NicolasRaoul This is enabled by default. Disabling it involves changing a registry key. [To my suprise there is a how-to-geek for this](http://www.howtogeek.com/howto/windows-vista/disable-logon-windows-no-domain/). – Reaces Apr 15 '15 at 08:21
  • The setting in question is called a "roaming profile" and can be configured on a per-user or per-group basis. – John Cave Apr 15 '15 at 08:22
  • 2
    @JohnCave Roaming profiles are a different concept all together: `A roaming user profile is a concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows Server domain to log on to any computer on the same network `. – Reaces Apr 15 '15 at 08:25
  • Thanks @Reaces, I haven't used Active Directory much since Server 2003 ;) – John Cave Apr 15 '15 at 08:29