|
Posted by djc on August 31, 2006, 12:53 pm
Please log in for more thread options thanks for the info Herb. Its appreciated. I'll do some testing.
>>>>I am setting up a few machines for remote users. In the past I have
>>>>generally not made these machines domain members. I set them up with
>>>>antivirus and firewall and only gave the users a non-admin local user
>>>>account to log in with. Then they just used vpn and RDP to there actual
>>>>work desktops to work. No work is done on the local machines, they are
>>>>just used like dumb terminals to connect to work.
>>>
>>> Nothing wrong with this if it works for you.
>>>
>>>> I was thinking of changing this and making them domain members so I can
>>>> use GPO's to control them better. My concern is them being able to log
>>>> onto the domain without being connected to the company network. I know
>>>> as long as they logon at least once to the domain then they can then
>>>> log on while disconnected using cached credentials... but how long can
>>>> they do this for? a limited number of times before they would be
>>>> required to bring the laptop back to work and logon again? or would the
>>>> act of logging on via the VPN (windows RRAS/ISA vpn) renew these cached
>>>> credential again?
>>>
>>> Generally forever (I vaguely THINK I remember there is a way to limit
>>> this but I may just be confusing the NUMBER of remembered credentials.)
>>>
>>> The real issue is that if they cannot authenticate, what value will it
>>> offer?
>>>
>>> They are not going to get any GPO's unless their machines can
>>> authenticate.
>>
>> I'm not sure if this is what you mean here but am I overlooking something
>> with the behavior of GPOs here?
>> Please correct me if I'm wrong but I am assuming the following behavior:
>>
>> - user logs onto domain at least once while connected to LAN, domain
>> computer and user GPOs get applied
>
> Yes. Actually they get applied to the COMPUTER before the user
> logs in, based on the COMPUTER authenticating on the domain.
>
>> - user takes laptop home and logs on with cached domain credentials, same
>> domain computer and user GPOs are applied (cached)
>
> This is usually not called "applied" but yes the GPOs stick until
> the domain can be found again. I started to mention this in my
> original post but the main advantage of the GPO is that it can
> be updated by the admin anytime, not just that first (and only)
> application.
>
>> - after user logs onto VPN the domain computer and user GPOs would be
>> updated during regular GPO refresh intervals
>
> This I doubt. Since the computer would need to be authenticated
> on the domain and I am unsure whether it would do this through
> the VPN if the DC were not available at boot. I just don't know and
> this needs to be part of your test (I was thinking about this when I
> suggested the testing but didn't specify it.)
>
>> anything above incorrect? am I wrong about the GPOs being cached?
>>
>>>> or (this one just came to me) can you still select a dialup (vpn in
>>>> this case) connection to be used *first* to authenticate a logon? I
>>>> recall doing that in windows 2000 I think..?
>>>
>>> Yes, and while it works it isn't always the most fun to troubleshoot.
>>>
>>>> anyway, my current clients are XP Pro sp2, connecting to windows 2000
>>>> native mode domain via ISA2000/windows2000RRAS vpn.
>>>>
>>>> any input would be appreciated.
>>>
>>> I think it is a good idea AND that it might be more trouble than
>>> it is worth.
>>>
>>> Why not just get ONE MACHINE and try it yourself for a couple
>>> of weeks.... (remember to try out the GPO controlling the machine
>>> idea too.)
>>
>> Will do.
>>
>> thanks Herb
>>
>
> Anytime I can help...
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>> thanks for the reply Herb. Please see inline.
>>
>>
>>> --
>>> Herb Martin, MCSE, MVP
>>> Accelerated MCSE
>>> http://www.LearnQuick.Com
>>> [phone number on web site]
>>>
>>>
>>
>>
>
>
| 
XML Sitemap