Windows 10 New Remote user users can't login

[JeremyCHIllin]

My team has to request all remote user's id and password to log in under their account before shipping them the PC. This is because their profile will not be on the machine when they get it and will not be able to authenticate to the domain. We are hiring more and more remote people and need a solution to just ship them a fresh imaged machine without delaying because we need to log in as them first on the network.

 

[Neemobeer]

You can use USMT to keep backups of their profiles and when they get a new device you just load the USMT mig file and they should be able to login

 

[JeremyCHIllin]

these users are new to the company and have never logged in.

 

[Neemobeer]

Unless you're using some kind of VPN hardware then logging into the machine is the only way that I know of. By logging in half of the domain password hash is stored locally on the machine for offline authentication. This is considered "good enough" by Microsoft for authentication without a DC available.

 

[JeremyCHIllin]

I just feel like there has to be a solution or work around companies are doing for this. I assume lots of people login with a temporary password and require the user to reset it once they receive it.

 

[SLS79]

Allow your technicians to reset the password for the new user account, have the technicians set the account to require a password change, and then you can have the user call in to your HD and get the generic password, then upon login make them connect to vpn to reset their password once they are connected to your company network.

Sent from Droid Turbo 2

 

[SLS79]

Or share the password with their hiring manager and have them do a proper onboarding of a new employee... #ijs

Sent from Droid Turbo 2

 

[Neemobeer]

Well the problem in the OP's scenario is that the computers are being logged in in a true remote scenario meaning there's no way for the computer to contact a DC so any password change will not be known to the computer. If they login with the IT set password, shutdown the computer and then change the password, the old password would be cached on the machine provided there are no GPOs set to disable this feature. The best solution IMO is implementing a hardware VPN solution such as Aruba RAPs that rely on computer certificates for authentication. In this case the computer should be able to reach the DC just fine and this type of issue would be avoided.

 

[SLS79]

I must have missed typing the part where they'll connect to the VPN at login time with password set by tech. However, if they don't have the raps, having a VPN solution that is set as a credential provider to allow login and VPN connection then they could change their password. Besides raps as opposed to a VPN solution is a pricey license per seat.

Sent from Droid Turbo 2