remoted machines with cached domain logons

[djc]

I am setting up a few machines for remote users. In the past I have
generally not made these machines domain members. I set them up with
antivirus and firewall and only gave the users a non-admin local user
account to log in with. Then they just used vpn and RDP to there actual work
desktops to work. No work is done on the local machines, they are just used
like dumb terminals to connect to work.

I was thinking of changing this and making them domain members so I can use
GPO's to control them better. My concern is them being able to log onto the
domain without being connected to the company network. I know as long as
they logon at least once to the domain then they can then log on while
disconnected using cached credentials... but how long can they do this for?
a limited number of times before they would be required to bring the laptop
back to work and logon again? or would the act of logging on via the VPN
(windows RRAS/ISA vpn) renew these cached credential again? or (this one
just came to me) can you still select a dialup (vpn in this case) connection
to be used *first* to authenticate a logon? I recall doing that in windows
2000 I think..?

anyway, my current clients are XP Pro sp2, connecting to windows 2000 native
mode domain via ISA2000/windows2000RRAS vpn.

any input would be appreciated.

 

[Herb Martin]

I am setting up a few machines for remote users. In the past I have
generally not made these machines domain members. I set them up with
antivirus and firewall and only gave the users a non-admin local user
account to log in with. Then they just used vpn and RDP to there actual
work desktops to work. No work is done on the local machines, they are just
used like dumb terminals to connect to work.

Nothing wrong with this if it works for you.

I was thinking of changing this and making them domain members so I can
use GPO's to control them better. My concern is them being able to log
onto the domain without being connected to the company network. I know as
long as they logon at least once to the domain then they can then log on
while disconnected using cached credentials... but how long can they do
this for? a limited number of times before they would be required to bring
the laptop back to work and logon again? or would the act of logging on
via the VPN (windows RRAS/ISA vpn) renew these cached credential again?

Generally forever (I vaguely THINK I remember there is a way to limit
this but I may just be confusing the NUMBER of remembered credentials.)

The real issue is that if they cannot authenticate, what value will it
offer?

They are not going to get any GPO's unless their machines can authenticate.

or (this one just came to me) can you still select a dialup (vpn in this
case) connection to be used *first* to authenticate a logon? I recall
doing that in windows 2000 I think..?

Yes, and while it works it isn't always the most fun to troubleshoot.

anyway, my current clients are XP Pro sp2, connecting to windows 2000
native mode domain via ISA2000/windows2000RRAS vpn.

any input would be appreciated.

I think it is a good idea AND that it might be more trouble than
it is worth.

Why not just get ONE MACHINE and try it yourself for a couple
of weeks.... (remember to try out the GPO controlling the machine
idea too.)

 

[Anthony]

You can put them in the domain, and users will log in with cached
credentials for ever as long as they had logged on before. In a Cisco VPN
client you can set it to come up when the machine starts, so the login is
over the domain. You can't (AFAIK) "log in" afterwards if the VPN is brought
up later. I would not expect a user to be able to switch between modes in
the VPN client, so it would be one or the other,
Anthony

 

[djc]

thanks for the reply Herb. Please see inline.

Nothing wrong with this if it works for you.


Generally forever (I vaguely THINK I remember there is a way to limit
this but I may just be confusing the NUMBER of remembered credentials.)

The real issue is that if they cannot authenticate, what value will it
offer?

They are not going to get any GPO's unless their machines can
authenticate.

I'm not sure if this is what you mean here but am I overlooking something
with the behavior of GPOs here?
Please correct me if I'm wrong but I am assuming the following behavior:

- user logs onto domain at least once while connected to LAN, domain
computer and user GPOs get applied

- user takes laptop home and logs on with cached domain credentials, same
domain computer and user GPOs are applied (cached)

- after user logs onto VPN the domain computer and user GPOs would be
updated during regular GPO refresh intervals

anything above incorrect? am I wrong about the GPOs being cached?

Yes, and while it works it isn't always the most fun to troubleshoot.


I think it is a good idea AND that it might be more trouble than
it is worth.

Why not just get ONE MACHINE and try it yourself for a couple
of weeks.... (remember to try out the GPO controlling the machine
idea too.)

Will do.

thanks Herb

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[djc]

thanks for the input. Its appreciated.

You can put them in the domain, and users will log in with cached
credentials for ever as long as they had logged on before. In a Cisco VPN
client you can set it to come up when the machine starts, so the login is
over the domain. You can't (AFAIK) "log in" afterwards if the VPN is
brought up later. I would not expect a user to be able to switch between
modes in the VPN client, so it would be one or the other,
Anthony

 

[Anthony]

Its a pleasure
Anthony

thanks for the input. Its appreciated.

 

[Steven L Umbach]

Once they have a cached domain credential they can logon to their computer
indefinitely while not connected to the domain. However if you have a
password policy that requires users to change their password every so may
days they could eventually find that when they do access the domain via VPN
that they will have an expired password. If they are using the built in
Windows VPN client they should then be presented with the option to change
their password. After doing that the user should immediately lock their
computer and then unlock it with the new credentials that should update
their cached logon with the new password. My understanding is that not all
third part VPN clients handle expired passwords as well.

Most Group Policy settings can be refreshed over a VPN but some can not. You
could test how well it works for you by using a test computer over a VPN and
then using gpupdate to see if the GP settings you expect to be applied are
and it may be helpful to run a rsop.msc on the computer before and after
running gpupdate. You may also run into a problem with GP refresh intervals
if the VPN users do not stay connected that long. You can decrease the
refresh interval for the remote users computers.

Steve

 

[Herb Martin]

I'm not sure if this is what you mean here but am I overlooking something
with the behavior of GPOs here?
Please correct me if I'm wrong but I am assuming the following behavior:

- user logs onto domain at least once while connected to LAN, domain
computer and user GPOs get applied

Yes. Actually they get applied to the COMPUTER before the user
logs in, based on the COMPUTER authenticating on the domain.

- user takes laptop home and logs on with cached domain credentials, same
domain computer and user GPOs are applied (cached)

This is usually not called "applied" but yes the GPOs stick until
the domain can be found again. I started to mention this in my
original post but the main advantage of the GPO is that it can
be updated by the admin anytime, not just that first (and only)
application.

- after user logs onto VPN the domain computer and user GPOs would be
updated during regular GPO refresh intervals

This I doubt. Since the computer would need to be authenticated
on the domain and I am unsure whether it would do this through
the VPN if the DC were not available at boot. I just don't know and
this needs to be part of your test (I was thinking about this when I
suggested the testing but didn't specify it.)

anything above incorrect? am I wrong about the GPOs being cached?


Will do.

thanks Herb

Anytime I can help...

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

thanks for the reply Herb. Please see inline.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Kurt]

Not to disagree with Herb (he is usually right), but .....

I'm not sure if this is what you mean here but am I overlooking something
with the behavior of GPOs here?
Please correct me if I'm wrong but I am assuming the following behavior:

- user logs onto domain at least once while connected to LAN, domain
computer and user GPOs get applied

Yes.


- user takes laptop home and logs on with cached domain credentials, same
domain computer and user GPOs are applied (cached)

Previously applied GPO settings will still be in force.

- after user logs onto VPN the domain computer and user GPOs would be
updated during regular GPO refresh intervals

If you set the VPN to dial prior to user authentication, I'm certain that
USER level GPOs would apply. I'm confident (althought not certain) that if
they stay connected long enough for group policy refresh intervals to
happen -IF they are accessing the LAN DNS server and such - that group
policy will be refreshed. This should be easy to test with a simple
computer-level policy like a startup script that renames a file or
something.

anything above incorrect? am I wrong about the GPOs being cached?

Yes, and while it works it isn't always the most fun to troubleshoot.


I think it is a good idea AND that it might be more trouble than
it is worth.

Why not just get ONE MACHINE and try it yourself for a couple
of weeks.... (remember to try out the GPO controlling the machine
idea too.)

Will do.

thanks Herb

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[djc]

thanks Steve. I appreciate the info. I'll do some testing.

 

[djc]

thanks for the info Herb. Its appreciated. I'll do some testing.

I'm not sure if this is what you mean here but am I overlooking something
with the behavior of GPOs here?
Please correct me if I'm wrong but I am assuming the following behavior:

- user logs onto domain at least once while connected to LAN, domain
computer and user GPOs get applied

Yes. Actually they get applied to the COMPUTER before the user
logs in, based on the COMPUTER authenticating on the domain.

- user takes laptop home and logs on with cached domain credentials, same
domain computer and user GPOs are applied (cached)

This is usually not called "applied" but yes the GPOs stick until
the domain can be found again. I started to mention this in my
original post but the main advantage of the GPO is that it can
be updated by the admin anytime, not just that first (and only)
application.

- after user logs onto VPN the domain computer and user GPOs would be
updated during regular GPO refresh intervals

This I doubt. Since the computer would need to be authenticated
on the domain and I am unsure whether it would do this through
the VPN if the DC were not available at boot. I just don't know and
this needs to be part of your test (I was thinking about this when I
suggested the testing but didn't specify it.)

anything above incorrect? am I wrong about the GPOs being cached?


Will do.

thanks Herb

Anytime I can help...

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

thanks for the reply Herb. Please see inline.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[djc]

thanks for the input. I appreciate it. I'll do some testing.

Not to disagree with Herb (he is usually right), but .....

I'm not sure if this is what you mean here but am I overlooking something
with the behavior of GPOs here?
Please correct me if I'm wrong but I am assuming the following behavior:

- user logs onto domain at least once while connected to LAN, domain
computer and user GPOs get applied

Yes.


- user takes laptop home and logs on with cached domain credentials, same
domain computer and user GPOs are applied (cached)

Previously applied GPO settings will still be in force.

- after user logs onto VPN the domain computer and user GPOs would be
updated during regular GPO refresh intervals

If you set the VPN to dial prior to user authentication, I'm certain that
USER level GPOs would apply. I'm confident (althought not certain) that if
they stay connected long enough for group policy refresh intervals to
happen -IF they are accessing the LAN DNS server and such - that group
policy will be refreshed. This should be easy to test with a simple
computer-level policy like a startup script that renames a file or
something.

anything above incorrect? am I wrong about the GPOs being cached?

or (this one just came to me) can you still select a dialup (vpn in
this case) connection to be used *first* to authenticate a logon? I
recall doing that in windows 2000 I think..?

Yes, and while it works it isn't always the most fun to troubleshoot.

anyway, my current clients are XP Pro sp2, connecting to windows 2000
native mode domain via ISA2000/windows2000RRAS vpn.

any input would be appreciated.

I think it is a good idea AND that it might be more trouble than
it is worth.

Why not just get ONE MACHINE and try it yourself for a couple
of weeks.... (remember to try out the GPO controlling the machine
idea too.)

Will do.

thanks Herb

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]