first time a user logs on pptp active directory

Posted on 2010-01-11
Medium Priority
Last Modified: 2012-05-08
We have a remote site where the computer uses pptp to connect back to our home office.  I don't want to use a radius server cause i dont have the equipment for it.  my problem is this.  we bring the computer to the home office for the user to log on so it authenticates to the dc.  when we take it back out to the remote site this user is still fine.  they login with cached credentials and then fire up pptp to connect back to the main office.  but what about a new user.  is there a way to login a user without being able to have network access to the dc.  for the first time to set up docs and settings.
i know sounds sorta crazy but thats what im needing.  sick of picking up this computer and bringing it back to home office.  the remote office is at a private place of business so i cant use a router of my choice. to set up permanent vpn connections and the one they use does not have vpn capabilities
Question by:jamesmetcalf74
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 26288931
Presuming you can walk the user over phone, make them create VPN connection to your domain, once they are connected , remote desktop-in to their computer using your LAN IP address. Once on their computer , you join their computer in to your domain. It works just fine, we do it all the time.

Author Comment

ID: 26288956
close but... this computer is already joined to the domain.  
so the user logs in... remember this is a already established user.  and everything works fine.  they establish the pptp vpn connection and then they have access to resources.

im talking about a new user that has never logged into the machine before.  there is no connection back to the domain controller to authenticate.

Expert Comment

ID: 26288995
thats fine, the new user logs in to his/her computer using local admin, he/she still can create a VPN to your domain using the new user credential you have created for them and you still get to confiure their desktop over remote desktop. ITs the same situation here.
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 26292505
so you are saying the admin logs in and establishes the vpn.  then the admin logs off and the new user logs in.  is there away to keep the vpn up and running after the admin logs off?  

Accepted Solution

ARK-DS earned 1200 total points
ID: 26295747
Hi James,

I am afraid I am not aware of any ways to achieve it. It will be like anybody can try and login to the machine and access resource over the domain.
When a user authenticates, it gets a PAC (Priviledged Attribute Certificate) from the DC and which is user by the client machine to create an access token for the user so that its authorization can be checked against access to domain resources. So, authorization is depentdent on authentication.
If authentication is not happening, I dont think that the user can log in.

Now, the basic thing is this, access token is built from PAC which is in the TGT (Ticket Granting Ticket) from KDC service running on the DC. I dont find any way to create a kerberos ticket for the user before it logs in to the machine.



Assisted Solution

kishg earned 800 total points
ID: 26299033

Once admin logs-off your application will get shut off hence vpn will dis-connect, but thats where your user will need to re-login to the machine and establish vpn connection on log-on using his/her own domain user name and password, you can than take control of the machine again (RDP) and finish the rest of the setup.
If thats not acceptable (i.e. having to ask user to log-back in to machine), you might consider configuring  vpn as service , I haven't tried that option but I think that should be doable.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question