Mobile User Account

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello,

Here's something that's been puzzling me and i'm not too sure of the correct solution. I was hoping someone could point me in the right direction.

Scenario: A user called Dave (for example) has a laptop and works 50% of the time in the company office and 50% of the time at various clients sites.

When Dave is in the office he needs to connect to the domain to be able to access network resources.

When Dave is at a clients site, he plugs into their LAN and then connects to the office using a VPN connection so he can retrieve email and files etc.

Question: What is the best way to configure the user accounts on Dave's laptop?

I would have thought that there would be a way to give Dave one account that can do all of this. The problem being that when Dave is in the office he gets his log on authenticated by the DC. When he's not in the office he can't get authenticated by the DC because he needs to be logged on and using the VPN connection, in order to connect to the domain.

If Dave has 2 seperate accounts, this would create inconsistency between data on each account and would be a PIA switching between accounts to find files.

Would copying the user profiles of the 2 accounts to one account work? I'm not sure of the best solution for this!

Cheers,

Paul

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

If the security policy allows once Dave has logged on to the laptop whilst attached to the domain he should be able to log on again away from the network using a cached profile. (May take a few logons / log off's to cache it properly though)

Alternatively you could create two seperate accounts, one for the LAN and one for away and create a single folder locally on the laptop for him to store data which is accesable from both accounts. You could then run a script to backup that data to the network when it is available.

 

Hey thanks Simon, I didn't know that the logon would work with a cached profile.

What if Dave had 2 accounts setup already (1 for LAN and 1 away) and you wanted to consolidate those in to one account and preserve the files and settings? Is that possible? Just thinking hypothetically here!

Cheers

 

You could try merging the two Profiles folders together into one? But I'd not be too confident of that working.

Otherwise I's suggest doing it manually!

 

Ok cheers, thanks for your help.

 

Hey Sparky, thanks for the feedback. I didn't think roaming profiles would work either. If Dave's been in the office all week then goes to see a client and can't connect back to the network (for what ever reason), he wont have an up to date version of files on his pc. Que phone call and moan to technical support!

Another issue this has thrown up that I didn't take into consideration. What if Dave needs to add/remove programs and do general administrative stuff to his laptop whilst he's away. Say his AD account is a bog standard user, he wouldn't have administrative rights to tinker with his laptop?

Would I need to create an OU in AD and give Dave some admin rights, or perhaps edit the group policies on the laptop?

 

Um, can't you make him a local admin whilst still keeping his normal AD credentials? Then he can install all the software he wants on his laptop.

 

Hey Baba,

Would that involve adding Dave's AD account to be a member of the local administrators Group on the laptop, or creating a new local admin account for Dave just for 'administration' purposes?

I was hoping for a solution where Dave has only 1 account (local or domain) that covers all bases.

Sparky: I've done that at work before (added programs using 'run as' on domain user accounts) and it's caused problems. The users have been unable to use the software that's been installed due to them not having the same priveleges as the account that installed it. Not sure why that should happen?

 

I'm not sure as I've not got my hands too dirty with AD yet. What I do know is that we have normal domain priveliges but are also local admins so we can install/uninstall what we like on our own PCs.

 

Yes you're right, you didn't. Baba did!

 

The reason some software doesn't work properly, is that that software has not been written to properly take into account XP's registry and other file and folder permissions. That is why so many people get frustrated and make the domain user account a member of the local admins group. This does fix this issue but it also opens up the box from a security perspective. Hence it is not recommended practice even though it is a common one.