Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


first time a user logs on pptp active directory

Posted on 2010-01-11
Medium Priority
Last Modified: 2012-05-08
We have a remote site where the computer uses pptp to connect back to our home office.  I don't want to use a radius server cause i dont have the equipment for it.  my problem is this.  we bring the computer to the home office for the user to log on so it authenticates to the dc.  when we take it back out to the remote site this user is still fine.  they login with cached credentials and then fire up pptp to connect back to the main office.  but what about a new user.  is there a way to login a user without being able to have network access to the dc.  for the first time to set up docs and settings.
i know sounds sorta crazy but thats what im needing.  sick of picking up this computer and bringing it back to home office.  the remote office is at a private place of business so i cant use a router of my choice. to set up permanent vpn connections and the one they use does not have vpn capabilities
Question by:jamesmetcalf74
  • 3
  • 2

Expert Comment

ID: 26288931
Presuming you can walk the user over phone, make them create VPN connection to your domain, once they are connected , remote desktop-in to their computer using your LAN IP address. Once on their computer , you join their computer in to your domain. It works just fine, we do it all the time.

Author Comment

ID: 26288956
close but... this computer is already joined to the domain.  
so the user logs in... remember this is a already established user.  and everything works fine.  they establish the pptp vpn connection and then they have access to resources.

im talking about a new user that has never logged into the machine before.  there is no connection back to the domain controller to authenticate.

Expert Comment

ID: 26288995
thats fine, the new user logs in to his/her computer using local admin, he/she still can create a VPN to your domain using the new user credential you have created for them and you still get to confiure their desktop over remote desktop. ITs the same situation here.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 26292505
so you are saying the admin logs in and establishes the vpn.  then the admin logs off and the new user logs in.  is there away to keep the vpn up and running after the admin logs off?  

Accepted Solution

ARK-DS earned 1200 total points
ID: 26295747
Hi James,

I am afraid I am not aware of any ways to achieve it. It will be like anybody can try and login to the machine and access resource over the domain.
When a user authenticates, it gets a PAC (Priviledged Attribute Certificate) from the DC and which is user by the client machine to create an access token for the user so that its authorization can be checked against access to domain resources. So, authorization is depentdent on authentication.
If authentication is not happening, I dont think that the user can log in.

Now, the basic thing is this, access token is built from PAC which is in the TGT (Ticket Granting Ticket) from KDC service running on the DC. I dont find any way to create a kerberos ticket for the user before it logs in to the machine.



Assisted Solution

kishg earned 800 total points
ID: 26299033

Once admin logs-off your application will get shut off hence vpn will dis-connect, but thats where your user will need to re-login to the machine and establish vpn connection on log-on using his/her own domain user name and password, you can than take control of the machine again (RDP) and finish the rest of the setup.
If thats not acceptable (i.e. having to ask user to log-back in to machine), you might consider configuring  vpn as service , I haven't tried that option but I think that should be doable.

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question