How to add new active directory accounts to computers outside our network

Hello,

We have a server at our central office (Server 2008) and several laptops in the field. As we add a new user to the server, the field laptops are not able to log in as the new user created in active directory.

Would a VPN need to be established between the laptop and the server in order to accomplish this? Will the field laptop have to be brought back into the local network each time we want to add a user login??

I understand that at the moment the laptops are using cached profiles...

Can anyone please explain the steps necessary for getting this to work correctly?

Many thanks!
jcaprioAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KevinSeddon81Commented:
If you are using windows 7 (and maybe vista), you maybe able to log in to the laptop using a cached account or local admin, log in to the vpn and then go to switch user. If the vpn stays open while you switch user, then you should be able to log the new user in to the laptop and update the gpo.
0
lruiz52Commented:
You would definitely need some for of VPN. I would look into microsoft direct access VPN.
0
tsaicoCommented:
If you have the extra budget too, but I have a few clients who use window 2008 as a remote dekstop.  I found it is about the same amount of difficulty in training someone to log in with VPN and how to get connected and such as it is explaining to them remote resources vs local.  

Then I train them to use the remote session for everything and not have any data locally.  Often the pitch I use is then if a laptop is lost or stolen, we do not have to worry about locally stored data and can just change a password (in case the user saved their password on the remote desktop app)

But the above will also work, but I would recommend setting up a generic local user account that has no information and the VPN settings so they can do this.  Otherwise, you have to rely knowing the "old" user account information, and if you change the password, the vpn isn't up so the laptop cache can be updated.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

AlexProfiletCommented:
VPN is the way to go to achieve what you are looking for. Like KevinSeddon81 said you can login as a user with the vpn then switch user accounts (don't log off! use switch user) while the VPN is connected to login as the new user. It can be tough to do sometimes and isn't very reliable way of connecting.

Like tsaico says Remote Desktop/Citrix is the best way, if the mobile users always have reliable Internet whenthey need to work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KevinSeddon81Commented:
Another possible way, is to log in with cached credentials, log in to the vpn and then open an elevated command prompt. You should then be able to run something like notepad or calculator using the runas flag with the new user, and that will create the new user's profile and hopefully cache the credentials. Be careful if you are using roaming profiles or folder redirection though, if you have an interuption, it may cause the user to create a temporary profile.
0
jcaprioAuthor Commented:
Thanks for all the help guys!

Tsaico - I like your suggestion as it starts to implement a cloud based environment for my users.

I have set the remote desktop up successfully for admin users (easy enough), however can you help my bypass this error message for non-admins trying to logon locally to the server?

Also, does enabling this feature pose any security risks?

Thanks a bunch!
Capture.JPG
0
AlexProfiletCommented:
Using terminal services for more than admin purposes (2 admin users at a time) you need terminal server licensing. It is best to have a dedicated terminal server for this purpose and lock it down with GPOs as well. You don't really want your users logging into a DC or any other systems that aren't dedicated for this purpose. It is possible, just not really recommended. If your users manage to infect the server or cause other issues you really only want it to affect your terminal server, not any other production loads.
0
tsaicoCommented:
In order to do the non- admins, you really do need Terminal Server setup.  My post should have been more clear on that.  This Win2k8 terminal server is setup as a workstation, doesn't require a lot of HD space, and generally has Internet disabled.  I found my cost break even is about the same at 4 users, assuming a respectable laptop at $800-1000.

So I agree with Alex's post as this really should be a dedicated server for it to work.
0
jcaprioAuthor Commented:
This worked perfectly! Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.