Remote disconnected users and Active Directory

---

• From: RayRay <RayRay@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 3 Apr 2008 13:45:01 -0700

---

Hello,

We have many users that are part of our sales team that do not work out of
our offices but instead work out of their homes. They connect to our network
using a SSL based VPN connection to get mail and access our Intranet.
Currently they are not part of our Active Directory infrustucture because
they cannot authenticate to AD until the VPN connection is establish thus
they do not apply group policies, run log on scripts, or modify their last
logon timestamps. This causes passwords to expire without the users being
informed, computer objects to become stale and a slew of other interesting
senarios that become unacceptable for the users. In some cases we've had
users mail their machines so we could log on and send it back.

My question is what other options exist? Is there anyway to trigger Windows
authentication again afterthe user logs in and connects to our networkvia
VPN? What are other organizations doing for similar senarios?

I know we could put a DC on the DMZ but that is a hugh security risk in our
organization. We also thought about having the VPN connection connect prior
to logon so that the initial Windows authentication takes place after
connecting to our network but I do not have any documents/information on how
to accomplish it.

Ultimately we are concerned about the application of GPOs, passwords
policies and how the user could be informed about upcoming expiring
passwords.

Any suggestions?
Thanks
Ray
.

---

• Follow-Ups:
  • Re: Remote disconnected users and Active Directory
    • From: Paul Bergson [MVP-DS]
  • Re: Remote disconnected users and Active Directory
    • From: Anthony [MVP]

• Prev by Date: Re: Ultrasound and Sonar
• Next by Date: Re: The specified DSA object could not be deleted
• Previous by thread: Add Workstations to Domain
• Next by thread: Re: Remote disconnected users and Active Directory
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Password hashes ... Usually you can safely set it to use NTLMV2/refuse lm ... > for network communications, encrypting data, etc. ... > With regards to super-complex passwords, I'm trying to address the fact ... > NTMLv2 and Kerberos authentication protocols. ... (microsoft.public.windowsxp.security_admin) Re: security of IP address ... bu PCs with user passwords are not. ... Even if it's lost after acquiring the DHCP lease, ... > mistakes such as connecting to the wrong network. ... minimal level of authentication necessary to connect to a hotel ... (comp.os.linux.networking) Re: VPN Security Management Question ... capturing the passwords is trivial regardless ... The VPN should not bypass network or server security. ... > then they could call the vpn connection manager, and, if the passwords ... (microsoft.public.security) Network account lockout ... my Network Passwords". ... >resources that require authentication my network account ... Does XP cache passwords? ... (microsoft.public.windowsxp.network_web) Re: XP Home Edition ... XP Home is not very network friendly. ... XP Home and setup that same user ID on your domain (with the passwords being ... authentication. ... M/T Box Computers ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2008-04