Possible to apply DirectAccess Client (GPO) settings remotely? RRS feed

  • Question

  • Hi guys,

    my situation is, that we implemented DirectAccess within the company, but we have about 20 employees who are travelling the whole year and do not come back into the office on a regular base. (At the moment they use a Citrix Access to connect to work ressources)

    These guys already have a notebook with our company image which is already domain joined. Now i would love to apply the DirectAccess configuration on those devices without them to come back into the office for this. Is this possible?
    What i already thought about, but did not try yet:

    - Maybe it's possible to use Offline Domain Join including the DA settings even though these clients are already domain joined? I already tested offline domain with DA settings in the past and it works great, but what happens if a client is already domain joined?

    - Is there a chance to export the necessary registry settings and ask the user to import it? (I guess it won't work as they don't have local admin rights?)

    Any other idea how i can handle this?

    PS: There is no other VPN solution in place which we can use to connect the machine to the internal network temporarily to get the GPOs...

    Thanks a lot!
    Best Regards,

    Friday, July 1, 2016 9:10 AM

All replies

  • Hi,

    I dont think the Djoin.exe would work without local admin rights anyway.

    Personally I would build a number of new machines that are already configured with DA and send them to the remote worker. As long as the use a wired connection then they could login without cached credentials.

    Then the users can send back there laptops and they can be added to the DA config and sent to the next batch of users.


    Regards, Rmknight

    • Proposed as answer by BenoitSMVP Monday, August 1, 2016 7:47 AM
    Friday, July 1, 2016 9:37 AM
  • Hi,

    I confirm, DJOIN would not work without local admin rights. But you can add VPN to the RemoteAccess role and publish a CMAK VPN profile to your users. That solve the problem for VPN access.

    GPO won't apply at the first VPN session but it may be possible to flush local logon tickets and get new logon tickets including new group membership. Once you have that, if your users is connected long enought (between 90/120 minutes), GPO refresh process will download new applicable GPO (including your DirectAccess GPO).  

    BenoitS - Simple by Design

    Monday, August 1, 2016 7:53 AM