I am planning implementation of Microsoft’s Active Directory tier administrative model, and I was wondering how to overcome the problem of system administration over VPN. One of the security principals is to have all admin accounts in a Protected Users group, and the other is to use privileged access workstations. Using this in combination with working from home crates a problem. How to login with a Protected Users group member account when domain controller is not available? I am not an expert on VPN, and I need to know does Always On VPN enable a computer to connect to the VPN and gain access to corporate network and domain controllers before any user logs in? Or there is some other way to solve the problem of using protected users logging in outside the company network?
To overcome this problem I have also considered a additional user account for laptop PAW, that is not member of Protected Users group and it is used only to log on to PAW, and from there you can access local VM for common user purpersess that has internet and mail access, and access to the system administration but with different credentials for administration of various tiers of security.
0 Answers