Setting Group policy to use Universal log on

I have been asked to look into setting up group policy to enforce all users in Active Directory to use universal log into all systems including including all  IIS websites within the domain.

The requirements are that they are unsure whether they would like to set the policy at a workstation/server level or user level.
Unfortunately their desktops and laptops are not enrolled onto the domain instead they log into the laptop / pc locally then connect up via a vpn connection (unsure why they are not enrolled onto the domain). Which makes me think that it should be applied at a user level.
Is it even possible to set up group policy to enforce all domain users to use universal log in on all systems. (I was under the impression you need one for both computer & user levels)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SandeshdubeySenior Server EngineerCommented:
If the machine is not joined to domain domain user cannot log.You can join the clients/laptop to domain so that domain user can login to client machine.
Brent_1978Author Commented:
I am only at this company for a week so I am unsure why they even have their workstations and domain set up the way it is.
But anyhow they want to be able to use universal log on on both the websites interface CRM for example and the server (which are definitely enrolled onto the domain).
Now the part where I am a little confused about is...  
Once you connect to the domain with a domain account across a VPN connection shouldn't the user specific group policy applied to the users OU group in AD still enforce its policy to the account you connected with?

Then when they decide to join the 21st century and enroll their desktops and laptops onto their domain like any backyard operation would, then they can use universal log on any pc, server or site that is enrolled onto their domain because it is forced with the user specific policy at the user OU group level.
Brent_1978Author Commented:
Sorry the grammar in that last post was appalling, I do apologize. It's a Friday afternoon and I am still trying to understand why anyone would not want to have all workstations on their domain???
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Enrolled or not, they can save credentials - why don't they?
Brent_1978Author Commented:
I am not sure.  I will be advising them to put all workstations and servers onto the domain before they progress any further with applying a group policy like this.

Does anyone have a guide on how to enforce universal log on via group policy at the OU group level for workstations and servers?
Also how does one apply these to websites being hosted on the server running IIS?
Normally, no policy is needed. Just join.
The whole purpose of Kerbose being created was for away to pass logon credential security between applications/servers. We you are using Kerbose which is used in Active Directory you are using SSO. The simple answer as others have stated if just join the workstation to the domain.

i have a feel the client you are working with does not understand what a windows AD domain is or can offer. A one hour base leave explain meeting may save both sides a lot of headache in the long run..

Just a suggestion...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brent_1978Author Commented:
Thank you all for your input it is greatly appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.