Join Domain and Login over a VPN Connection

Cyril Kardashevsky Active Directory, Windows

This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for me this weekend. Like many others, I work from my home office. Recently, I reinstalled Windows on my laptop, and now I need to connect to my domain and set up my domain profile.

Windows 10 (11) allows you to join your device to Active Directory via VPN. However, the problem is that I need to restart my computer in order to join the domain. When Windows boots up, my laptop cannot access the domain controllers because the VPN session has not yet been established. As a result, I won’t be able to log on to the computer using my domain account and apply Group Policy settings.

There is a workaround to join a new Windows device to the domain over VPN:

  1. Log in to your device using a local administrator account;
  2. Configure Windows VPN client and connect to your company VPG gateway;
  3. Join Windows to the Active Directory domain;
  4. (Optional) Add your domain account to the local admins group on your home device;
  5. Reboot your computer and log in with a local administrator account;
  6. Connect to VPN and switch Windows user account;
  7. Sign in under your domain user account.

Now let’s take a closer look at these actions.

Join Domain over VPN

Note, you will need to log in to the computer with a local account.

Connect to VPN

First, you must create a Virtual Private Network (VPN) connection to your corporate VPN gateway.

  1. Open the “Windows Settings” → “Network & Internet”;
    join domain over vpn
  2. Choose the “VPN” tab and click on “Add a VPN connection”;
    connect to domain over vpn
  3. Fill in the fields as follows:
    “VPN Provider” → Windows (built-in);
    “Connection name” can be any (best to use provider country and/or server location);
    “Server name or address” → the address of your VPN provider (you can find it in your VPN account);
    “VPN type” → “Automatic” (you can choose manually);
    Type of sign-in info → your type (in this case, it is login and password).
    add computer to domain over vpn
  4. Click on “Save” button.
  5. Connect to VPN gateway.

Also, you can get the Touch VPN in Windows Store (it’s free) and use it for a VPN connection.

Hint. Some VPN clients are automatically disconnected when you switch Windows users. You can create a VPN connection that stays connected when you switch the user account. This VPN connection type can be created using PowerShell cmdlet Add-VpnConnection with enabled AllUserConnection parameter:

Add-VpnConnection -Name WorkVPN -ServerAddress vpn.theitbros.com -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType Automatic -EncryptionLevel Required -PassThru

Joining Windows to the AD domain

Join your computer to the domain.

  1. Open the “Control Panel” → “All Control Panel Items” → System;
    domain join over vpn
  2. Choose “Change settings”;
    join computer to domain over vpn windows 10
  3. Click on the “Change” button on the “Computer Name” tab;
    join domain over vpn windows 10
  4. Select the option “Domain”, type your AD domain name, and press OK;
    join domain via vpn
  5. Enter the credentials of the user who is allowed to join the computer to the domain;
  6. Restart the PC;

Hint. Also, you can join your Windows device to Active Directory domain using PowerShell:

Add-Computer -DomainName theitbros.com –verbose
  1. Log in with local administrator credentials;
  2. Connect to the VPN again.
  3. Now add the domain user you will be using to the local administrator’s group on the computer. You can add a domain user account to the local group by its SID.

Ask your coworkers to find your domain account SID using the following PowerShell command:

get-aduser M.Becker|select sid
join windows 10 to domain over vpn

Now you can add this account by its SID to local Administrators group using PowerShell:

Add-LocalGroupMember -Group administrators -Member S-1-5-21-2927053466-1818515551-2824591131-4101

You can do this by pressing CTRL+ALT+DEL and then selecting “Switch user.”

join domain through vpn

Hint. If the Switch User option is missing, check the local GPO option Hide Entry Points for Fast User Switching under the following section: Computer configuration > Administrative Templates > System > Logon.
windows 10 join domain over vpn

Enter your domain user credentials (use the following format of the username: domain\username) and login to a computer.

vpn domain

And there you go, you are now logged in with the domain account on a domain-joined machine.

After the first login, your domain user credentials will be cached locally and you will be able to log in with your domain account (even if the VPN section is not established and domain controllers are not available). For more information on this, see the article Active Directory Cached Credentials overview.

Cyril Kardashevsky
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

Related Posts

3 comments

  2. Thanks for article. I always forget to add the machine to the network over my VPN connection when trying to add a domain user and scratch my head and wonder why the user won’t add properly.

    Reply

  3. Thanks, this is helpful.
    THough this part needs a bit more explanation: “Now add the domain user you will be using to the local administrator’s group on the computer.” – what’s the local administrator’s group? is it the workgroup? isn’t that by default the case when adding a new local user?

    Reply

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.