Setting Group policy to use Universal log on

I have been asked to look into setting up group policy to enforce all users in Active Directory to use universal log into all systems including including all  IIS websites within the domain.

The requirements are that they are unsure whether they would like to set the policy at a workstation/server level or user level.
Unfortunately their desktops and laptops are not enrolled onto the domain instead they log into the laptop / pc locally then connect up via a vpn connection (unsure why they are not enrolled onto the domain). Which makes me think that it should be applied at a user level.
Is it even possible to set up group policy to enforce all domain users to use universal log in on all systems. (I was under the impression you need one for both computer & user levels)
Who is Participating?
compdigit44Connect With a Mentor Commented:
The whole purpose of Kerbose being created was for away to pass logon credential security between applications/servers. We you are using Kerbose which is used in Active Directory you are using SSO. The simple answer as others have stated if just join the workstation to the domain.

i have a feel the client you are working with does not understand what a windows AD domain is or can offer. A one hour base leave explain meeting may save both sides a lot of headache in the long run..

Just a suggestion...
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
If the machine is not joined to domain domain user cannot log.You can join the clients/laptop to domain so that domain user can login to client machine.
Brent_1978Author Commented:
I am only at this company for a week so I am unsure why they even have their workstations and domain set up the way it is.
But anyhow they want to be able to use universal log on on both the websites interface CRM for example and the server (which are definitely enrolled onto the domain).
Now the part where I am a little confused about is...  
Once you connect to the domain with a domain account across a VPN connection shouldn't the user specific group policy applied to the users OU group in AD still enforce its policy to the account you connected with?

Then when they decide to join the 21st century and enroll their desktops and laptops onto their domain like any backyard operation would, then they can use universal log on any pc, server or site that is enrolled onto their domain because it is forced with the user specific policy at the user OU group level.
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Brent_1978Author Commented:
Sorry the grammar in that last post was appalling, I do apologize. It's a Friday afternoon and I am still trying to understand why anyone would not want to have all workstations on their domain???
Enrolled or not, they can save credentials - why don't they?
Brent_1978Author Commented:
I am not sure.  I will be advising them to put all workstations and servers onto the domain before they progress any further with applying a group policy like this.

Does anyone have a guide on how to enforce universal log on via group policy at the OU group level for workstations and servers?
Also how does one apply these to websites being hosted on the server running IIS?
McKnifeConnect With a Mentor Commented:
Normally, no policy is needed. Just join.
Brent_1978Author Commented:
Thank you all for your input it is greatly appreciated.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.