Remote user, new laptop, AD is company policy

the_technocratthe_technocrat IC-MotY1Indy Icrontian
edited August 2008 in Science & Tech
[11:05] <the_technocrat> for those of you in IT, how do your companies handle issuing a new laptop to an employee where:
[11:05] <the_technocrat> you can't know their AD password
[11:05] <the_technocrat> their AD account needs to be cached on the machine
[11:05] <the_technocrat> (so they can log in the first time while not connected to the network, we're all remote users)

Just one of the challenges here, looking into options. I'm sure this comes up for anyone whu issues new machines to users that are remote. Don't want to make a local account, they have to use their AD login (policy).

Comments

  • the_technocratthe_technocrat IC-MotY1 Indy Icrontian
    edited August 2008
    [11:13] <the_technocrat> I can already add an AD user to the local machine and local admin group with 'add user DOMAIN\username' etc, but that doesn't cache their AD password
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited August 2008
    I assign passwords and make them change it next time they're local.
  • the_technocratthe_technocrat IC-MotY1 Indy Icrontian
    edited August 2008
    primesuspect wrote:
    I assign passwords and make them change it next time they're local.

    Yeah, these are already-exising users, working remotely and using AD to sign into web-based applications. I know I could change their pword, I was trying to be 1337 and do this without changing their AD pword
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited August 2008
    We removed the default 10 cached user account/ passwords so only the last user can login offline. To defeat the obvious problems that causes, we install Cisco VPN and set it to launch before login.

    When a user starts the laptop... he must be connected to a network (hardline or wirless). When the user presses ctrl+alt+del and accepts the legal banner, Cisco launches. The user logs into VPN and then they can login to the domain.

    This works for hardline networks or wireless that can handle auto connecting to a wireless profile before a user logs in.
  • the_technocratthe_technocrat IC-MotY1 Indy Icrontian
    edited August 2008
    Hmm, yes I've done pre-logon. This requires that we would have to set up pre-logon connect to wireless, and the wireless networks are unknown. I suppose we could go the VPN route and require them to be connected via hardline the first time. Once logged in, I suppose we could have a batch that would disable auto-VPN for them, as it's not always neccessary, only the first time.

    Good idea Q, I'll check it out.
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited August 2008
    Also.... Intel wireless application has the ability to launch an application when it connects to a profile.... have it launch VPN then. That way only when on woreless will VPN auto launch.
  • the_technocratthe_technocrat IC-MotY1 Indy Icrontian
    edited August 2008
    yeah but the problem is that most people are at remote locations, a lot of times in other companies, so I don't have their wireless info :\. But having them connect to a hardwire the first time is good enough to get the credentials cached.
Sign In or Register to comment.