D
djc
I am setting up a few machines for remote users. In the past I have
generally not made these machines domain members. I set them up with
antivirus and firewall and only gave the users a non-admin local user
account to log in with. Then they just used vpn and RDP to there actual work
desktops to work. No work is done on the local machines, they are just used
like dumb terminals to connect to work.
I was thinking of changing this and making them domain members so I can use
GPO's to control them better. My concern is them being able to log onto the
domain without being connected to the company network. I know as long as
they logon at least once to the domain then they can then log on while
disconnected using cached credentials... but how long can they do this for?
a limited number of times before they would be required to bring the laptop
back to work and logon again? or would the act of logging on via the VPN
(windows RRAS/ISA vpn) renew these cached credential again? or (this one
just came to me) can you still select a dialup (vpn in this case) connection
to be used *first* to authenticate a logon? I recall doing that in windows
2000 I think..?
anyway, my current clients are XP Pro sp2, connecting to windows 2000 native
mode domain via ISA2000/windows2000RRAS vpn.
any input would be appreciated.
generally not made these machines domain members. I set them up with
antivirus and firewall and only gave the users a non-admin local user
account to log in with. Then they just used vpn and RDP to there actual work
desktops to work. No work is done on the local machines, they are just used
like dumb terminals to connect to work.
I was thinking of changing this and making them domain members so I can use
GPO's to control them better. My concern is them being able to log onto the
domain without being connected to the company network. I know as long as
they logon at least once to the domain then they can then log on while
disconnected using cached credentials... but how long can they do this for?
a limited number of times before they would be required to bring the laptop
back to work and logon again? or would the act of logging on via the VPN
(windows RRAS/ISA vpn) renew these cached credential again? or (this one
just came to me) can you still select a dialup (vpn in this case) connection
to be used *first* to authenticate a logon? I recall doing that in windows
2000 I think..?
anyway, my current clients are XP Pro sp2, connecting to windows 2000 native
mode domain via ISA2000/windows2000RRAS vpn.
any input would be appreciated.