Home / server / Questions / 532012
Accepted
Grant
Asked: 2013-08-20 05:45:18 +0800 CST

Handling domain joined laptops that are rarely on the local LAN?

  • 772

We have quite a few laptops that are rarely, if ever, connected to the local LAN. Since they won't be able to contact a domain controller very often, having them joined to the domain doesn't work well - cached passwords eventually expire, new users can't login, etc.

Right now we handle it by leaving them as workgroup computers, with local accounts setup on them.

However, that means losing all group policy settings, remote control, software installation, inventorying from AD and all the other advantages that come from being part of the domain. Basically making my job a lot more difficult than I want it to be when it comes to update software or update our inventory.

How do others handle this?

  • Some of the laptops connect to our office wifi so should be able to talk to a DC, but don't seem to connect to wifi before a user logs in, so they still can't login.
  • Some laptops connect to other people's wifi. Is it possible to have them connect to the wireless and a VPN before the user logs in so it can talk to the DC?
  • Other laptops use a cellular internet stick, which requires a software client to connect, so probably can't connect before logging in. But will windows update their cached account passwords if they login, then connect to a VPN, so it can talk to the DC AFTER they have logged in?
  • Laptops are a 50/50 mix of Windows 7 and XP.

My current almost-solution is to have the laptop domain joined, and require the user to connect to the office network via ethernet cable once every few weeks. Which works, but not everyone will remember or be able to do that.

active-directory

2 Answers

  1. One common way of handling this is to start the VPN connection before user logon. For instance, the Cisco AnyConnect VPN client has this feature:

    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml

    • 1
  2. Best Answer

    Depending on the work they have to do inside the Domain, consider working with a Terminal Server, (or just a Host Inside your company Network).

    They could even work with their private Hardware (if they want to) and you are in full control of the Terminal Server. Just give them access via VPN, or directly via RDP (if you have trust in Microsoft protocols :)

    OpenVPN would also have a service feature where you could connect to a VPN an system startup. You could pare this with Certificate Authentication (unexportable from the certificate store) and a revocation list for NOT allowing users to connect anymore.

    openvpn config needs to edited something like this:

    ca "YOUR_CA.pem"
cryptoapicert "SUBJ:OpenVPN-Client"

    the certificate (with a matching subject name) needs to be imported, inside the users certificate store (the user who starts up the openvpn service)

    • 1