AD Domain with roaming laptops - connect or leave separate
Every Windows machine in your company should always be part of the domain.
You dont need to worry so much about WSUS not being accessible. Updates are obviously important, but vert few updates are so critical that you cant wait a few days or more to install them. Most companies install updates on a few machines locally to see if it causes issues over a period of time. They might wait a week or more before they roll updates out to all of their machines. If an update is so critical that if you feel it HAS to be installed ASAP, users should VPN in. MS provides VPN softare built into Windows Server.
As for your AV, something doesnt sound right. All modern AV suites allow updating via the internet for remote users who arent directly connected to the internal network or VPN'ed in. Check your AV documentation, or call support to get help getting this enabled. If for some reason you have some AV software that does not support this feature, you should replace it with one that does. If that is not a possibility, again, VPN is a simple solution to this problem.
As for caching logins, users only need to log into a laptop once while on the network. There is no reason why their laptops would become "bricks." It sounds like something else is wrong here. Are the users sharing a pool of laptops? Perhaps they are grabbing laptops they have never logged into before. Again, having a VPN set up alleviates all these issues.
Related videos on Youtube
26 : 57
06 : 11
25 : 00
02 : 04
01 : 55
Matt
Updated on September 18, 2022Comments
-
Matt over 1 year
What do you do when you have a pool of laptops that are given to staff when they travel? I work for a travel agency where we will send a staff member or two away on a tour with a group of people, and they need to continue to connect back to the office, clear emails etc.
What I want to know is this: Is it normal to connect these laptops to the AD domain as well, or would you leave them off the domain as standalone workstations?
FWIW, this is a SBS2011 Standard network, with around 25 staff and 8-10 laptops. It's not feasible to give each user one laptop.
As I see it, these are the pros/cons.
Connect the laptops to the domain (the pros/cons are more or less opposite for 'not connecting the laptops to the domain'):
- Pro: Better security (GPOs applied, problem areas locked down, Firewall rules setup appropriately etc.)
- Pro: Staff login with one account, and don't need a separate 'Laptop User' account that they need to remember the password for
- Con: WSUS won't work (see above reason)
- Con: Integrated AV doesn't work (AV updates require a connection back to the AV server which isn't accessible to the world) so it will scan, but not with the most up-to-date definitions. Given some people are away for a month or two at a time, that's not a great look
- Con: Staff have to remember to logon to the domain at least once before they leave while in the office, as the laptop needs to cache their logon. If they don't do this, the laptop is a brick, unless I give them the local admin account
Anything else I'm not thinking of?
-
Matt over 11 yearsWe haven't used the VPN software built into SBS 2011 as yet, as it's an extra thing to investigate, watch for security advisories on etc. however if it proves to be useful then it's worthwhile setting up. We are using ESET for AV, I'm sure there is an ability to update over the internet, I will just have to look for it. A non-issue. I'm fairly sure a cached login expires after a while, no? The laptops are for teams, so anyone might grab any laptop (as mentioned). Finally, not sure how you can create a VPN connection without logging in, which you can't do until you have a VPN connection?
-
Keltari over 11 yearswindows allows you to log in with the VPN connection.
-
Matt over 11 yearsThanks - I'll have to look into that. Sounds like you've answered everything, thanks!
