On Wed, 28 Mar 2012, Ryan Frantz wrote:
----- Original Message -----
From: "Edward Ned Harvey" <[email protected]>
Assuming the user is able to get on a wired internet, or you have the
wifi driver that allows them to join wifi before windows logon... You
can remote control their computer, login as yourself (or a local admin
account) connect the VPN, and cache the user credentials. (The way I
like to cache the credentials is to use "Run As" on a shortcut to
CMD.) After that, the user will be able to login as themselves.
We've tested a scenario using a dedicated, cached "recovery" account (with
restricted privileges) on the laptops. That account information can be shared with the
telecommuter to get logged in, automatically start the VPN connection, and take
corrective action from there.
One thing along these lines, Hitachi-ID sells a product Privileged Access
Manager that has the ability to randomize the admin password and then
reveal it on demand.
They have two modes of operation for this.
1. for continuously connected systems (many flavors), the servers reach
out and change the passwords on a schedule
2. for windows systems with intermittent connectivity, there is an agent
that runs on the windows system and when it can reach the admin servers,
it pulls down password updates.
If you have any ability to have people get any sort of connectivity, this
sort of thing with a self-service website could be used to manage the
recovery and admin passwords on the laptop.
you may want to make a special account that is only allowed to login and
access the VPN, but not actually do anything else on the laptop. this
would be enough for you to get at the laptop remotely to fix it or re-sync
a password to it.
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
