Questions

Head Spinning - VPN AD logon question

Tags:
+
0 Votes
Locked

Head Spinning - VPN AD logon question

Torontosucks
I have a user who works far away at home. He connects with our laptop through VPN. Recently all users were advised to that they had to accept our online policies and he did not do so in time so his AD account was marked as Expired with the hopes that he would call in for assistance. He tried to connect afterwards and did get on VPN but his AD account was now expired. He rebooted and now cannot get on the laptop because his account is now marked as expired locally. His AD account is no longer expired online but since he is offline his system does not know this and he can no longer logon to be able to get to the VPN logon screen. of course it is all my fault and since our policy is normally to not give the administator password I am stuck. Any ideas? if we did give the administator password in leiu of him shipping us the laptop back and forth what would the process be? I should have stayed home.
  • +
    0 Votes
    hammunist

    If you did give the password, it would just be for the local machine, so he couldn't do too much damage (well one would hope) - let's say you give it to him, he can log in, and then connect to the VPN client using his credentials, which should authenticate. What type of VPN client? Some I've used (Cisco) has an option on whether or not to disconnect at logoff - turn this feature off, have him sign out of admin account, and then log in as himself - this should update the local profile since the VPN connection is still active.

    +
    0 Votes
    gechurch

    If you trusted the person you could give him the local admin password. He logs on, connects the VPN, then switches user and logs in to his domain account. Now have him switch back to the local admin and run TeamViewer or similar. You log in and change the local admin password then log off.

    If you don't trust the person, or don't want to change the local admin password (to keep it standard with other machines) then hire a local 'nan and pop' IT company. Have them sign something to say they won't share or use the password without authorisation from you, then have them do a house call and do the above.

    Long-term solutions to stop this happening again (other than the obvious) could be:
    - Get a router at his premises that makes the VPN connection. Draytek make cheap ones that are pretty good.
    - Installed full TeamViewer with the option for unattended access, so you can log in to his machines even when it's sitting at the Welcome Screen.
    - If using the Windows VPN connection, tick the box to allow all users to use the VPN connection. He will then be able to connect to the VPN from the Welcome Screen.

  • +
    0 Votes
    hammunist

    If you did give the password, it would just be for the local machine, so he couldn't do too much damage (well one would hope) - let's say you give it to him, he can log in, and then connect to the VPN client using his credentials, which should authenticate. What type of VPN client? Some I've used (Cisco) has an option on whether or not to disconnect at logoff - turn this feature off, have him sign out of admin account, and then log in as himself - this should update the local profile since the VPN connection is still active.

    +
    0 Votes
    gechurch

    If you trusted the person you could give him the local admin password. He logs on, connects the VPN, then switches user and logs in to his domain account. Now have him switch back to the local admin and run TeamViewer or similar. You log in and change the local admin password then log off.

    If you don't trust the person, or don't want to change the local admin password (to keep it standard with other machines) then hire a local 'nan and pop' IT company. Have them sign something to say they won't share or use the password without authorisation from you, then have them do a house call and do the above.

    Long-term solutions to stop this happening again (other than the obvious) could be:
    - Get a router at his premises that makes the VPN connection. Draytek make cheap ones that are pretty good.
    - Installed full TeamViewer with the option for unattended access, so you can log in to his machines even when it's sitting at the Welcome Screen.
    - If using the Windows VPN connection, tick the box to allow all users to use the VPN connection. He will then be able to connect to the VPN from the Welcome Screen.