Migrating VPN connected computers

When performing an Active Directory migration one of the often unexpected pitfalls is handling workstation migrations that are only connected via a VPN connection – they never come to an office, ever.  What is the problem?  When you join a workstation to a new domain all the cached credentials are lost, resulting in users not being able to login to the remote laptop or workstation again until it is connected to the office again.  If you have someone using a satellite connection from a ship in the middle of the ocean this can present quite logistical challenge.

Of course the workstation can be accessed via a login to the local administrative account, so all is not necessarily lost.  However this process is cumbersome for an end user to perform, and further, do you really want to give that password to Joe User so he can install whatever apps he wants?


What to do?  Enter Dell Software Group’s (formerly known as Quest Software) Cached Credentials Utility.  You won’t find this one on the marketing literature as it is a Custom Development bit of software (if you don’t already know, what this means is that you pay extra for it).  However, it is well worth the price!

What does the Cached Credentials Utility do?  The current incarnation will do three steps:  It will Resource Process your workstation, it will join your workstation to the target domain, and it will cache the target user credentials so on reboot the user can login without needing an active connection.  Brilliant!  The guy in the middle of Greenland doesn’t have to ship his laptop back by dogsled to be able to login again!

You will need a VPN connection that allows netbios connectivity for this to work, of course.  But otherwise, you are done.


The problems with doing this?  It still requires some work and user interaction.  First you have to get the service deployed to the workstation.  If you have a good software deployment system then you are done.  If not, then you may be relying on the end user to load the service in the first place, which can take a fair amount of cajoling in some cases.  Second, it does require the end user interaction – they get a popup asking for target user name and password, and then have to watch as the workstation goes through the gyrations (a resource update run that can take 15 to 30 min followed by two automatic reboots – yes two).  So it isn’t completely seamless.  It is, however, a lot easier than managing it manually!