When you are off the domain you have a couple of options… leaving the laptop in a workgroup mode and RWW’ing back to a desktop, or you can log in with cached credentials.  Most default servers have a setting such that laptops or any domain devices that aren’t physically attached (or see the domain) to the domain can log into a ‘phantom’ domain.  The profile is still there, and offline files are there and what not.

I’ll write more on this…but the bottom line is just because a laptop can’t be tethered to a domain is not a big thing these days in a mobile workplace.

http://support.microsoft.com/kb/913485 .. more about cached credentials there…

2 Thoughts on “Off the domain….

  1. Common sources of confusion with cached credentials is that by default, Windows will cache the last 10 users that logged in to the system, and not the last 10 passwords for a user. Windows only stores a hash of the last successful password used by a user.

    Another common source of confusion is that if the laptop isn’t connected to the network containing the domain controllers, but the user had changed their password on the domain controller (ie by using the IISADMPWD Web application), then the laptop will still be using the old password. Obvious really, but I frequently get Help Desk calls on this point.

    Finally, don’t rely on the fact that you can always log in using cached credentials. I’ve seen a couple of instances where the laptop won’t log in using any previous or existing passwords. Make sure you are able to login via a VPN connection back to the domain controller to be able to resolve this (somewhat rare) problem.

  2. For most portable computer applications, I use the rule of thumb that goes: “If the computer is Customer-owned, it will be a domain member and users will logon w/ their cached credentials and the local copy of their roaming profile.” Some AD slicing and dicing and the creation of a GPO or two later, and you’ve got laptop computers either sequestered into an OU by themselves or made members of a security group arbitrating (“filtering”) access to apply some “portable computer settings”, and you’re in business.

    Where things get cloudy for me are portable or off-site computers that don’t get to process startup scripts and the other parts of computer group policy that only apply synchronously on boot. It’s one thing if the computer is going to get plugged into a LAN connection (or associated with an access-point on that LAN) and booted in the presence of a domain controller, even if that’s only every-so-often. It’s another thing if that computer’s never going to get to boot and apply synchronous computer policy settings because the user has to logon and “start the VPN” first.

    If a computer isn’t going to get to participate in synchronous computer policy application, I’m a lot more apt to use it as a “terminal” to access a computer that is “fully managed”. (Yes, yes– I know that you can the CMAK to make the computer run a “post-connection action”, but it’s not the same thing– particularly since, if I recall properly, it runs in the user’s context and not in SYSTEM…)

Post Navigation