Re: Remote User Management

In news:C3272375-04AC-4421-AD5C-5C340B08CED8@xxxxxxxxxxxxx,
Mike <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Lanwench,

The problems regarding ratio of IT and desktops and how to deal with
problems are not problems we are trying to solve. The current
situation has existed for over 5 years and those logistis have all
been solved long ago.

OK - it seemed worth mentioning.


The problem is management of remote computers and compliance
verification. The company falls under full scope SOX audits and as
any of you know that have had to participate in one of those, the
auditors prefer to see system generated reports. But even without
that just for the sake of good practice and security, the company
wants to be able to deploy SMS and the like to ensure proper patch
management etc.

Sure, I can understand that. But it just won't be easy unless they're
connecting on a network you can manage.



The company has been employing Terminal Services and or Citrix for
most of those 5 years. The problem is, when they do not have network
connectivity the users still need to be able to work on Office
documents, email and other line of business applications.

So those
desktops and laptops are out, their utilizing the distributed
architecture Microsoft is always touting, and it works awesome for
us! However, as mentioned we need to be able to manage those users
in a loosly connected way.

We have been considering installing Site-Link VPN appliances at the
users homes and local branch offices as a solution for some time
lending itself nicely to a possible solution like you mentioned.

Yep - that would be a good way to go - if it's more than a tiny handful of
users in each location, you really need a DC/DNS box there, too.

For their offline use, they could use either offline files (icky, in my
book - I've seen a lot of data loss when those are in the picture) or
possibly third party sync software like SecondCopy - but they would need to
connect to the network at some point to sync them.

And since you've mentioned SOX and other regulatory requirements, you need
to make sure they aren't storing anything on these laptops that anyone else
could easily get their hands on. This gets into encryption issues, and
entirely locking down the computer so that the user can't make changes to
much at all outside data files.


The core source of my thread is, does Microsoft or any one else offer
any documentation that focuses on what options are available to IT
departments regarding loosly connected users. I know there are plenty
of settings that affect various behaviors such as whether or not to
cache passwords, slow link GPO, etc. We would like to make as
informed of a decesion as possible and one that best solves our
business needs.

I don't know of anything Microsoft-specific that will help you with this,
sorry. As I mentioned before, when I've seen this done, it's involved third
party software (Dameware, etc) and for laptops that do occasionally connect
to the corporate network/domain. Unless they do that, you are not going to
be able to manage password policies (they won't be able to change their
passwords), and if the computer hasn't been able to contact a DC for a long
period of time, it is likely going to complain.

I do think you're going to have your work cut out for you - and this won't
be an inexpensive proposition, but you may be able to make it work.



Thanks again.
"Lanwench [MVP - Exchange]" wrote:

In news:42612AC6-631B-450D-9455-C248C1931FBF@xxxxxxxxxxxxx,
Mike <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Lanwench

Thanks for your reply.

Here is the problem, I understand that a site link VPN would be our
optimal solution, however we are talking about 50 plus PCs highly
dispersed and that number is growing at a fast rate.

How does Microsoft purpose a company manage 50 plus desktops for
update management, change management, security, software
installation, licensing compliance?

This is not a simple task. How many IT people does your company
have, and how many (non-remote) users do they support? what's the
geographical distribution here, and are there going to be local
techs who can work with users in remote locations if something goes
wrong? What are your responsibilities w/r/t these computers, and
what exactly is it you want to manage?

If they never connect directly to your network (even via a remote
VPN-linked site), you are probably not going to get what you wish.
If a user's domain login or profile gets hosed on their laptop, and
they are not on a network with a connection to your domain, what are
they going to do? They might not even be able to log in. How are you
going to connect to it? The only way a domain member computer can
use the tickbox for "log in over dialup connection" is if they're
using MS VPN, and I don't think that's the most secure thing out
there. It won't work with a third party VPN client. I don't know
that it will work with wireless, as they have no guarantee that
wireless is working before they log in, in the new location. Etc.

Managing these one desktop at a time is obviously not a scalable
solution.

Agreed, but honestly, I can't see how you'd have any easy
centralized means of doing so, even if they join the domain, with
your current config.

I know of large companies with widely dispersed laptop users who use
Cisco or Sonicwall VPN, etc., and these workstations have stuff like
DameWare remote control software on them for the (large) IT
department to use if need be. And the users *do* periodically bring
their laptops into remote office locations configured with site
links back to the main office. That's pretty expensive, tho.


Any insight would be much appreciated.


What I myself would really want to manage in a situation like this,
is what the user is actually working with / accessing on the
corporate network. I would seriously think about implementing W2003
Terminal Services - then it doesn't really matter what's on the
client so much.




"Lanwench [MVP - Exchange]" wrote:

In news:FB337E5C-69D3-4E14-9C28-F7BB8662DC70@xxxxxxxxxxxxx,
Mike <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
I am working in a company that has close to fifty percent of it
users working remotely. There are not enough of these users in any
one location to warrant a Active Directory Site, and many of them
work from home.

Currently we do not have any remote computers setup as members of
the Active Directory domain that is configured. Each computer
simply participates in a local workgroup and then uses our VPN to
establish connectivity to domain resources.

For obvious reasons we would like to have all of our computers
become members of the domain.

I don't see that as obvious at all. What's your goal/justification
for that decision? What potential advantage do you see, given that
you still won't be able to manage them remotely if they're using
VPN clients? I suggest you rethink this.


I seem unable to find any whitepapers or the like that directly
addresses this issue from Microsoft or the general web. I have
searched Google web and groups, as well as Microsoft's website
extensively and I seem to be missing it.

The specific problems I don't see documentation for are:

Connectivity, many of our salesmen spend a great deal of time in
Hotels etc. They are not going to be able to logon to the VPN
until they have logged on to the local machine and established a
connection with the hotel's wireless or wired service. Some use
wireless at home and experience a similar problem, however I
believe there is a way to configure Windows to automatically logon
to a known wireless network before user logon, correct? Last some
use Cingular AirCards and need to logon in order to start
Cingular's Connection Manager.

Options and features available to us, for example I see there are
Slow Link options for Group Policy objects etc. I am sure all the
information I need is documented in its respective location,
however

I do not see any documentation that attacks the problem from the
remote user vector? How can we still use all the desktop
management features and what are the effects of the user being
disconnected a large percentage of the time? For example, will
the users ever receive new startup scripts, new logon scripts,
and what all options are available to us to control its behavior?

Sorry for the long post and thank you in advance for your time.

Unless these users were in remote offices with site-link VPN or
leased line connectivity to the HQ network where the DCs lived,
group policy/remote management/login scripts/updates are really not
going to work as you wish.

Perhaps you should look into Terminal Services ?



.

Relevant Pages

  • Re: Remote User Management
    ... The problem is management of remote computers and compliance verification. ... when they do not have network connectivity the ... So those desktops and laptops are out, ... We have been considering installing Site-Link VPN appliances at the users ...
    (microsoft.public.windows.server.active_directory)
  • RE: Remote desktop over a VPN
    ... I understand the issue to be: you have created VPN ... from SBS to remote network, however you can not VPN to remote network from ... This issue may occur because the ISA Server Firewall Client program does ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Connection to remote site.
    ... If you need further assistance about SBS and ISA in the future, please feel free to post back. ... >Subject: Re: VPN Connection to remote site. ... >problematic and we found that the EPOS PC tended to drop off the network ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote site browsing and file access
    ... than routing typically causes for remote netbios name resolution). ... -- uses software VPN to connect 10.10.0.0/255.255.248.0 network to remote ... -- Server provides all local DNS and DHCP ...
    (microsoft.public.windows.server.sbs)
  • Re: RASd in : why traffic sent through VPN router ?
    ... inet gateway to 10+ secs when routed through remote VPN inet gateway. ... Exchange Server on the local network, ...
    (microsoft.public.windowsxp.network_web)