Join AD, keep everything on local profile

[hhvfxteam]

I was just put on the spot from the higher ups at work and need to get a personal laptop on the network. To preface the rest of the post, I understand that this is horrible practice, I understand the risks, and I understand the concept of the horrors of personal PC's on company time. I get it, but it's a director and I need it done and I need some pointers to alleviate the horribleness. I have only been dealing with Windows Server for about two months, am not well-adjusted quite yet, and have never had formal education or training. 

 

There are a few computers that need access to network drives and light GP that are running Windows 10 Home, and they need to retain ALL of the local data and profile settings. Will the standard Win10Home button for "connecting" in lieu of "join" do what I want? Any and all help is appreciated. Server is 2008 r2. 

 

This is probably really simple, but I want to be absolutely certain beforehand, due to sensitive documents, and I've never had to do this before so handle the noob gently, please. 

 

 

[BrendanReed]

1 hour ago, hhvfxteam said:

I was just put on the spot from the higher ups at work and need to get a personal laptop on the network. To preface the rest of the post, I understand that this is horrible practice, I understand the risks, and I understand the concept of the horrors of personal PC's on company time. I get it, but it's a director and I need it done and I need some pointers to alleviate the horribleness. I have only been dealing with Windows Server for about two months, am not well-adjusted quite yet, and have never had formal education or training. 

 

There are a few computers that need access to network drives and light GP that are running Windows 10 Home, and they need to retain ALL of the local data and profile settings. Will the standard Win10Home button for "connecting" in lieu of "join" do what I want? Any and all help is appreciated. Server is 2008 r2. 

 

This is probably really simple, but I want to be absolutely certain beforehand, due to sensitive documents, and I've never had to do this before so handle the noob gently, please. 

 

 

Sadly with Windows 10 Home you can't join a domain. You would have to upgrade it to windows 10 pro first before you can join a domain. I would think though say if you tried to map the network drive / folder it should prompt for credentials to access it. Have them sign in with their network credentials but you would have to put DOMAIN\Username 

 

It should work like that I'm not really a network guy but I see no problem other than security as to why it wouldn't work.

[brwainer]

5 minutes ago, BrendanReed said:

Sadly with Windows 10 Home you can't join a domain. You would have to upgrade it to windows 10 pro first before you can join a domain. I would think though say if you tried to map the network drive / folder it should prompt for credentials to access it. Have them sign in with their network credentials but you would have to put DOMAIN\Username 

 

It should work like that I'm not really a network guy but I see no problem other than security as to why it wouldn't work.

I believe he's talking about Server Essentials. It has a way to let Win10Home (Win7home, etc) computers connect to it without joining the domain. That's the "Connect" button he's referring to.

 

@hhvfxteamif what I said about is correct, then you should be safe in doing so. I don't remember off the top of my head what the limitations of that set up are, but I do know that it leaves the local account profile(s) intact.

[BrendanReed]

1 minute ago, brwainer said:

I believe he's talking about Server Essentials. It has a way to let Win10Home (Win7home, etc) computers connect to it without joining the domain. That's the "Connect" button he's referring to.

 

@hhvfxteamif what I said about is correct, then you should be safe in doing so. I don't remember off the top of my head what the limitations of that set up are, but I do know that it leaves the local account profile(s) intact.

Haven't messed with Home too much, never saw a point in it because of the limitations. Didn't know that was an option.

[hhvfxteam]

Thanks, guys, while I would have liked the peace of mind, I have to make a decision in a few, so I will take one last look at it decide and update here. 

[hhvfxteam]

14 minutes ago, brwainer said:

I believe he's talking about Server Essentials. It has a way to let Win10Home (Win7home, etc) computers connect to it without joining the domain. That's the "Connect" button he's referring to.

 

@hhvfxteamif what I said about is correct, then you should be safe in doing so. I don't remember off the top of my head what the limitations of that set up are, but I do know that it leaves the local account profile(s) intact.

Sorta.... The server itself is a 2008 r2 upgrade from a 2003 SBS server, I believe, but the option is there either way, if I'm not mistaken

[Akolyte]

I believe there is a "connect to workplace" function in Windows used for BYOD and such.  Here is a tutorial on it from HowToGeek https://www.howtogeek.com/247900/how-to-add-a-work-or-school-account-to-windows-with-work-access/  

 

Hope this helps. 

--EDIT--

Just thought I would add this.  It's at the very bottom of the article.  

Quote

To join a traditional Windows domain instead, if your organization provides one, select “Join or leave an organization” under Related Settings at the bottom of the Work Access pane. You’ll be taken to the Settings > System > About pane where you can join your device to a either a domain your organization hosts or a Microsoft Azure AD domain.

 

[Mikensan]

One possible idea is to setup a VPN and allow RDP to their company workstation from within the network. Full screen RDP and they won't even know they're remote.

[hhvfxteam]

9 minutes ago, Mikensan said:

One possible idea is to setup a VPN and allow RDP to their company workstation from within the network. Full screen RDP and they won't even know they're remote.

Ok, so this is a great idea, and while I had an extension into today to figure out our best option, I attempted this a few weeks ago with no luck, and to keep a long story short, our previous admin doesn't know anything about computers and overlapped about 130 (Now down to a still outrageous ~40) policies for a company of 65 users.... We haven't been here long enough to sort through everything yet for various reasons, but we are spread too thin to get it working properly at this moment with all of those problems and a Tolkien series of other related admin-caused issues.  

[Mikensan]

1 minute ago, hhvfxteam said:

Ok, so this is a great idea, and while I had an extension into today to figure out our best option, I attempted this a few weeks ago with no luck, and to keep a long story short, our previous admin doesn't know anything about computers and overlapped about 130 (Now down to a still outrageous ~40) policies for a company of 65 users.... We haven't been here long enough to sort through everything yet for various reasons, but we are spread too thin to get it working properly at this moment with all of those problems and a Tolkien series of other related admin-caused issues.  

And quick and dirty solution is something like logmein / teamviewer / google remote desktop. Ideally your firewall (hopefully something more than ISP provided) supports VPN to some degree. After that you can just manually enable RDP.

 

I have a small network as well but I also try to separate out my GPOs (but not quite that many...) to help troubleshoot when a GPO might be conflicting with a workstation. We have to follow DISA STIG which complicates life ~_~.

 

Alternatively if your firewall does not support VPN, could setup a quick linux box + openVPN.

[Nils3D]

1 hour ago, Mikensan said:

One possible idea is to setup a VPN and allow RDP to their company workstation from within the network. Full screen RDP and they won't even know they're remote.

rdp sure, but 2008r2 unptched version is a security threat, on port 3389, so keep that in mind, as long as it's patched with an update sure, it's doable.

[Mikensan]

Just now, Nils3D said:

rdp sure, but 2008r2 unptched version is a security threat, on port 3389, so keep that in mind, as long as it's patched with an update sure, it's doable.

Hence the VPN, you're not exposing RDP to the internet.

[Akolyte]

21 hours ago, hhvfxteam said:

Ok, so this is a great idea, and while I had an extension into today to figure out our best option, I attempted this a few weeks ago with no luck, and to keep a long story short, our previous admin doesn't know anything about computers and overlapped about 130 (Now down to a still outrageous ~40) policies for a company of 65 users.... We haven't been here long enough to sort through everything yet for various reasons, but we are spread too thin to get it working properly at this moment with all of those problems and a Tolkien series of other related admin-caused issues.  

What about SoftEther? It allows NAT Passthrough, could be a good solution for VPN if you want it quick and dirty? Teamviewer also supports VPN for free, but then you are using it commercially, SoftEther is free for both commercial and business use.  Including VPNAzure I believe, which is what is used to pass it through the NAT through Microsoft servers.

20 hours ago, Mikensan said:

Hence the VPN, you're not exposing RDP to the internet.

Yep, exposing RDP on the internet is almost like a death sentence.  Especially if you are a company or business.