The laptops that are used in our office, connect through a domain that synchronizes with our main server for the user's email and personal files (mainly My Documents). We have ordered some new ones and need to have these accessible outside of work. I took one home the other night and tried to connect through the domain at the login screen and it would not allow me to. Is there an out of office setting that needs to be used for this scenario?

Any help would be appreciated.

1/31/2008 1:58:39 PM

At my work we just VPN from our home computer and remote desktop to whichever machine

1/31/2008 2:09:02 PM

Trust me, that won't work. These are for executives who literally can not remember how to search for a file in windows. Everything has to be done for them...

1/31/2008 2:18:08 PM

i only have a little bit of experience with setting up windows domains, but I dont think this will work.

The problems:

- Some ISPs block the ports needed for Windows networking

See: http://support.microsoft.com/kb/170998

- You could use VPN to get around that, but you said this adds an extra step and slight complication

- The users probably want to be able to access their laptop as "normal" even when they don't have an internet connection

1/31/2008 5:16:37 PM

I thought you could connect using the cached account even when the domain isn't available... not sure if that works for you. Is it a FQDN? We use a local internal domain that obviously isn't going to be able to be connected to from outside the local network. You've probably thought of these things but worth a shot

[Edited on January 31, 2008 at 5:18 PM. Reason : asdf]

1/31/2008 5:18:02 PM

Yea. If they log in once while connected to the domain on the lan their credentials will be cached. Then they can login while disconnected from the network.

However unless you feel like opening yourself up to some serious attacks, they will not be able to get to their files from outside your network unless they VPN in. You can probably setup routing and remote access and use the VPN client built into windows to do this automatically for them, buts its gonna be alot of reasearch and alot of work.

Email should be fine though as long as they're connecting to SMTP or IMAP. If they are connecting to something like Exchange or Notes unless you open the ports on your firewall (bad idea) they wont be able to connect without a VPN.

Outlook and Notes will both operate in Offline mode where they use a local mail file while disconnected. Also windows can make local replicas of network files using "offline files" or whatever its called. Once they reconnect to the network any emails they sent will get sent and any new emails would show up. I dont think anyone really likes this and if its a bunch of upper level management with no patience they will hate it and you.

Basically you need some kind of remote access setup (VPN) to do this properly. I'm pretty sure you can make XP automatically detect that its not on the domain and try to vpn in with a preset connection. This would probably be the most seemless option (and cheapest since you already own the client and server software). There are a number of other vpn client/server options out there to look at too.

You'll have to do the research to figure out what solution is the best for you and how to implement it.

1/31/2008 5:41:21 PM

where are the credentials cached?

1/31/2008 8:13:58 PM

just use VPN. the executives at my job have issues with simple computer things, but they know that if they want access to the network away from the office they have to get onto the VPN. tell them it is for security purposes and is the simplest solution. they'll adjust.

1/31/2008 8:29:35 PM

Quote :

"Yea. If they log in once while connected to the domain on the lan their credentials will be cached."

only if your group policy is set to allow this. I don't allow it on my domains.
vpn is simple enough that once they have it setup, they can just check the "use dialup connection" at the login screen and log directly into the domain using windows/domain credentials as the vpn credentials making the process transparent minus the checking of the box

2/1/2008 2:01:11 AM

yeah, vpn is really the only acceptable way to do this. it's not hard. the cisco vpn client integrates very well in windows.

2/1/2008 3:45:34 AM

Quote :

"only if your group policy is set to allow this. I don't allow it on my domains. vpn is simple enough that once they have it setup, they can just check the "use dialup connection" at the login screen and log directly into the domain using windows/domain credentials as the vpn credentials making the process transparent minus the checking of the box "

ding ding ding

2/1/2008 10:44:19 AM

or that

set up your DC to act as a VPN endpoint (RAS will do it)

and then set up the connection on the laptops and check the "use dialup connection" box like smoothcrim said

they won't notice a thing

2/1/2008 11:08:50 AM