3

I have a few users in the field 100% of the time. I would like to have them authenticate to AD so that policies like Password changes and even maybe group policies are applied regularly. I want to ensure a level of standardized protection that is uniform for these remote, roaming, never-ever-office-visiting users.

Any idea what I can put in place for such a scenario?

  • 1
    Each time they log in to the network, which should still be happening at fairly regular intervals, their policies would be updated. A way of ensuring it would be requiring VPN connectivity. –  May 29 '15 at 20:24

2 Answers2

5

The only way for domain computers to get updated group policy settings is if they have connectivity to a domain controller at a time when they are refreshing their group policy settings. Group Policy is refreshed:

  1. At computer startup (foreground refresh of Computer settings)
  2. At user logon (foreground refresh of User settings)
  3. Periodically in the background (Background Refresh)
  4. Manually by running GPUpdate

Getting updated settings to "off-network" workstations can be tricky and as much as possible should be done to avoid the need to do so (e.g. require users to bring laptops to periodic meetings at the nearest branch office). However, if you must update Group Policy on machines not normally connected to the domain network, consider these solutions:

  • Install a software-based VPN client on the roaming computers and configure it to connect to the domain network before user logon. This will ensure "User" GP is always applied and if the computer stays connected long enough, the background refresh will update the "Computer" GP as well.
  • Deploy VPN routers at off-site users' work locations (e.g. At their remote/home office) that maintain a persistent connection to the domain network. This will result in the remote computer having constant access to a domain controller and fully participate in Group Policy update.
  • Deploy a DirectAcess infrastructure which acts like an always-on VPN solution.
I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
  • the VPN client only works if the offsite employees have reliable access to the same LAN, so their computer can authenticate to that network before user logon. If they go to a completely different client each time, they might not have that network. Unless they have a network at home that they can hook their machine up to every day. – Nzall May 29 '15 at 20:48
  • By *If they go to a completely different client each time* do you mean "use a different computer" each time, or "visit different client [offsite] networks" each time? If the former, each workstation a remote worker uses would need an appropriate configuration. If the latter, then clearly deploying fixed VPN hardware is out of the question so the remaining option would be to deploy a software-based VPN to each remote worker's computer. – I say Reinstate Monica May 29 '15 at 21:11
3

Ask them to connect to the internet through a VPN into your domain. Use Remote Access & Routing services (RRAS) to configure the VPN gateway for them.

ztk
  • 249
  • 2
  • 10
  • Is there anything else? I had that they wont do it, anything with SSL Certificates or maybe ADFS? They won't do it it has to be something really really seamless. –  May 29 '15 at 18:09
  • Nothing reasonable. You need them in the domain controller's network to push the policies, that's what the VPN is for. SSL and other authentication methods will allow them to access the network, but it doesn't make their computer become a part of the network. – ztk May 29 '15 at 18:14
  • I think the remote access VPN part of RRAS [is now called DirectAccess](https://technet.microsoft.com/en-us/network/dd420463.aspx). Whatever it's called, it looks to me like the only reasonable way to manage remote systems in a domain is using Server 2012 DirectAccess and Enterprise clients on the remote systems. – alx9r May 29 '15 at 22:43