Our company has several laptop users (including myself) who log on to our VPN remotely, after logging in to a local domain profile on the laptop.
The problem with this, however, is that group policies and startup scripts are not automatically invoked when connecting to the VPN.
This results in loss of control and a possible added security risk (such as domain users being able to join without virus software installed).
Is there any solution to this problem? I have read about logging using a dial-up connection, but there are two downsides to this:
- It seems to be unavailable on Windows Vista / 7 machines
- It requires the laptop user to have an internet connection.
- It still leaves the option open to connect manually.
Any help would be appreciated.
Note: we are using Windows Server 2008 (not R2)
Best Answer
As you mentioned startup scripts etc will only run at startup, by connecting to your DC after startup you miss this window of opportunity. Group policy will still be collected and applied at next startup.
This has in theory been solved using 2008 R2 & Win 7 using Direct Access. Essentially you get an 'automatic' VPN which the machine account initiates prior to user logon, hence allowing startup scripts etc to be applied.
My understanding is that you don't need to upgrade your domain you just need (at least) one 2008R2 server to terminate the Direct Access.