Limitations of non domain computers using VPN?

[segil]

Hello,

strange title, but hopefully it's a bit clear what my question is:
What are the limitations if a user logs onto a Windows 2000 using VPN, while his/her computer isn't part of the domain?

Situation: we have a number of home workers and foreign employees who log onto our w2k domain using a VPN connection. Their computer aren't part of our domain (on purpose, because it's their home computer). The logon proces works and they're authenticated, but the login script (kix32) isn't working very well:
1. In order to verify whether the user gets access to a network mapping is done by looking at the group membership in kix32 (IF INGROUP ("Group")=1 USE M: \\$fs1\directory")
This doesn't work for the non domain computers

2. To solve this problem I've created a batch file with all the drive mappings, which can be run by the VPN user to obtain all his mappings. For some reason some mappings are created, others aren't.

So it seems using a computer that's not part of a domain creates some problems... any idea how to work around this, besides making the computer part of the domain? I can imagine that you don't want to make every home computer part of your domain just so the user can logon. To be perfectly clear, the users logon with the domain user account.

All help is appreciated.

 

[emozley]

Have you considered using Terminal Services? Once they have VPN'd in they can then set up a remote desktop connection.

 

[segil]

That's an good idea... but I don't think my boss wants to spend lots of money on Terminal Services.

Do you think most companies use some kind of remote control program for their VPN users to be able to work from home?

 

[emozley]

Remote control over even a half decent broadband connection will be unacceptedly slow. Plus it will mean having to leave PCs on all the time and there will be no central point of administration.

I suspect what you may need is a broader change of policy with regard to remote users if they don't want to go down the thin client route (this is about £60 per licence). Ideally you don't want computers that don't match the company spec tunnelling in as it is a massive security risk so maybe say "if you want to VPN in it has to be a PC built by us to our spec" - then it will be joined to the domain anyway.

Also does the script you mention in your first post check that the user is in a particular group or does it check the computer is in a particular group?

 

[segil]

Yes, I know it's a security risk and we tell the users what software to install on their computers (anti spam, anti virus), but still it's a problem. But the boss thinks this will be no problem, so...

The kix32 script checks for user group membership. I think what goes wrong is that the local user on the home computer isn't a domain user, so this user can't be validated for group membership. When the user logs on with VPN, he/she uses his domain user account the logon, but this account is only used for the logon proces, not for the rest of the authenticating with the other servers... Is this correct? Maybe a Radius server will solve this problem, what do you think? I've got no experience with Radius.

 

[emozley]

Bit of a tricky one there? I don't know anything about Radius I'm afraid so the only thing I could suggest would be to have a logon script for VPN users that maps network drives without checking to see what AD group they're in. However I appreciate this is a bit of a cop out! Ed