Join computers in a domain over VPN (how-to)

​

In these covid-19 times, a lot of us have to work from home, or at least always remotely to our sites we admin.

Settting up a new computer for the users domain from home-office, can be challenging.

Windows 10 does allow you to join a domain over VPN, but after you restart the machine, you can’t join the VPN before you login, as needed to contact the DC for the first-time login

So here’s how.

In your vpn server, or firewall on the site, you need to make a User account that mirrors the login of that AD-user you want to store credentials for.

if you’re using Meraki MX firewall like me, it only allows you to use email-addresses when making guest-accounts for vpn clients, so in this case you can use

“[email protected]” instead of
domain\username

Then you need to set the password for the VPN the same as the users password, so if it’s a pre-existing user, and not a new user you’re setting up with a temporary starter pwd, just tell them and let them set it back after.

when setting up the machine, go to control panel → network / sharing center and “configure a new connection”, do NOT use the vpn-settings menu, as this will not allow you to login with this vpn connection.

pick “connect to a work-place” *or something similar*

this menu will allow you only to enter the public IP of the FW or vpn server, and name the connection, so after it’s made you’re gonna have to find the vpn connection in your “change settings for network-cards”, and configure it from there with the right protocol, preshared key, etc.

when you’re finished, open Vpn settings and connect, it will ask for usn/pwd, enter “[email protected]” and the PWD you set (should be the same as in the domain)

You can now add the computer to the domain and restart the computer.

It’s when the pc reboots the magic happens.

Now, if you did this correctly, you will have a new sign next to network connections, before login, and if you click it, you can sign in with vpn.

now, if the credentials to the VPN match the login to the domain, you can login like this, and the users credentials get stored, you can use the same vpn to do the rest of your setup, and the pc is ready for delivery.

Or…

You reboot, sign in as local admin, connect to VPN, click switch user, and sign in as domain user. No sweat.

Congrats this is 100% only applicable to your environment.

The comments here are why I rarely if ever post here.

Why don’t you just tick “Allow other users to use this VPN” when you create the VPN, then it’s available on the Windows logon screen. You can login as any domain user, it connects to VPN and in you go.

LOL Meraki.

Over here I just install the OpenVPN background service and set it to start at system boot. Works a treat!

I’m working on something similar, but in a different environment. I’m on Palo Alto with GlobalProtect and a few HIP checks (like AV, Bitlocker, Updates) . So we probably will login as the local admin, install and connect to VPN using a specific user to join the domain and have some specific rules in place to allow the install of said tools, updates, bitlocker config. (concoction of GPO and PDQ Deploy)

Just did a bunch yesterday on Sonicwall with the Global VPN Client. You join the VPN, add PC to domain, switch user (so the VPN stays active) then login as domain user.

Easy peasy.

I am using sophos SSL VPN, I just set the VPN to connect at boot time, before login. I set it to log in with an account that has no rights, is forbidden to log on to any domain machines, and cannot run any software. The users then just log in with their normal domain creds. I have joined PCs to the domain after setting them up like this and it works fine. I can see no difference from a users perspective, it behaves as if they where sitting at their normal PC in the office.

Or…

(if Switch user is disabled)

Reboot, sign in as local admin, connect to VPN and run any application using “Run as a different user”. Have that user sign in and then log out.

Always the preferred method. I believe this has worked with every ssl vpn I’ve tried. For the unfortunate few (diaf meraki) who use IPSEC/L2TP client vpn, I don’t think it does.

That implies the machine is already on the domain. Although in your scenario I’d prefer to do a run as the domain user on the local admin account.

If you run IE as the domain user it caches the credentials.

A regular user account can be enough, at least in my experience with Fortigate. I always bake in a normal user account for that specific purpose, so I don’t need to give the local admin.

Unless you are remote from this PC and the end user doesn’t have the password for the local admin (which they shouldn’t).

fucking this. hahahaha

You reboot, sign in as local admin, connect to VPN, click switch user, and sign in as domain user. No sweat.

Thats what Ive always done.

didn’t realize you kept the VPN if you just switched user, i guess i only tried logging out, which makes you lose the connection.

I image this will help 3 people… who also work at the same company is OP. This is like a KB to share with your colleagues not reddit.

Unless you are running TeamViewer.

*Insert shock and horror*

Used this guide a while ago, same concept just with TeamViewer’s VPN service.

this is 100% applicable to any environment where you are remote from the site and you can vpn your way in