If i understand all the above correctly. The VPN Logon appears before the Windows domain LOGON.. hence when a laptop is physically disconnected from the domain at a remote location everything works fiine .. VPN 1st - Then logon to Domain - all Fine.........
However 2 related questions -
1. What happens when the laptop has no way to VPN yet the user still needs to use the laptop ( off-domain ) remotely ?
2. What happens when the user returns to the office and docks the laptop for normal domain login etc ?