Windows Domain

PirateHitman

I've been posed a question by someone which caught me off guard, is it possible to authenticate with AD remotely, without VPN's and all.

This is because we have remote workers and sometimes there have been cases of where they're password expires and then they have two passwords as machine is off domain.

HyperSpeed

In effect, no. Not that I'm aware of to be honest.

We have elements of our domain in the DMZ so people can remote in and VPN connect in over their network but there is no real way (built in) that I'm aware of AD being able to communicate back to it's DC's if you're off the network. There may be some sort of software that you can purchase but we're in the same situation and have been for years with people having laptops on the domain. When you don't put the laptop on the network within 30 days your passwords are out of sync and you have to use the cached details on the laptop. The only way we fix this is by getting the laptop in locally once every 30 days or so to keep it up to date.

DamienSB

You could just remove remote devices from the network, and require the remote staff to access your network with remote desktop services, or citrix desktop

pcan

Windows Directaccess is the Windows feature that should address this need. It is a special VPN that is opened before the user authentication. The DirectAccess client is built-in from Windows 7 onwards, the server side is a Windows server role. I tried it when it first came out (Windows 2008R2) and it didn't worked properly back then. This should have been addressed on Windows 2012 and 2016, but I haven't tried again.

PirateHitman

@pcan

Thanks for that, looking into implementing this soon in a test domain to see if it works well.

Will come back if I get it working, looks fairly straightforward from the documentation Microsoft has up.