This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for me this weekend. Like many others, I work from my home office. Recently, I reinstalled Windows on my laptop, and now I need to connect to my domain and set up my domain profile.
Windows 10 (11) allows you to join your device to Active Directory via VPN. However, the problem is that I need to restart my computer in order to join the domain. When Windows boots up, my laptop cannot access the domain controllers because the VPN session has not yet been established. As a result, I won’t be able to log on to the computer using my domain account and apply Group Policy settings.
There is a workaround to join a new Windows device to the domain over VPN:
- Log in to your device using a local administrator account;
- Configure Windows VPN client and connect to your company VPG gateway;
- Join Windows to the Active Directory domain;
- (Optional) Add your domain account to the local admins group on your home device;
- Reboot your computer and log in with a local administrator account;
- Connect to VPN and switch Windows user account;
- Sign in under your domain user account.
Now let’s take a closer look at these actions.
Join Domain over VPN
Note, you will need to log in to the computer with a local account.
Connect to VPN
First, you must create a Virtual Private Network (VPN) connection to your corporate VPN gateway.
- Open the “Windows Settings” → “Network & Internet”;
- Choose the “VPN” tab and click on “Add a VPN connection”;
- Fill in the fields as follows:
“VPN Provider” → Windows (built-in);
“Connection name” can be any (best to use provider country and/or server location);
“Server name or address” → the address of your VPN provider (you can find it in your VPN account);
“VPN type” → “Automatic” (you can choose manually);
Type of sign-in info → your type (in this case, it is login and password).
- Click on “Save” button.
- Connect to VPN gateway.
Also, you can get the Touch VPN in Windows Store (it’s free) and use it for a VPN connection.
Hint. Some VPN clients are automatically disconnected when you switch Windows users. You can create a VPN connection that stays connected when you switch the user account. This VPN connection type can be created using PowerShell cmdlet Add-VpnConnection with enabled AllUserConnection parameter:Add-VpnConnection -Name WorkVPN -ServerAddress vpn.theitbros.com -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType Automatic -EncryptionLevel Required -PassThru
Joining Windows to the AD domain
Join your computer to the domain.
- Open the “Control Panel” → “All Control Panel Items” → System;
- Choose “Change settings”;
- Click on the “Change” button on the “Computer Name” tab;
- Select the option “Domain”, type your AD domain name, and press OK;
- Enter the credentials of the user who is allowed to join the computer to the domain;
- Restart the PC;
Hint. Also, you can join your Windows device to Active Directory domain using PowerShell:Add-Computer -DomainName theitbros.com –verbose
- Log in with local administrator credentials;
- Connect to the VPN again.
- Now add the domain user you will be using to the local administrator’s group on the computer. You can add a domain user account to the local group by its SID.
Ask your coworkers to find your domain account SID using the following PowerShell command:
get-aduser M.Becker|select sid
Now you can add this account by its SID to local Administrators group using PowerShell:
Add-LocalGroupMember -Group administrators -Member S-1-5-21-2927053466-1818515551-2824591131-4101
You can do this by pressing CTRL+ALT+DEL and then selecting “Switch user.”
Hint. If the Switch User option is missing, check the local GPO option Hide Entry Points for Fast User Switching under the following section: Computer configuration > Administrative Templates > System > Logon.
Enter your domain user credentials (use the following format of the username: domain\username) and login to a computer.
And there you go, you are now logged in with the domain account on a domain-joined machine.
After the first login, your domain user credentials will be cached locally and you will be able to log in with your domain account (even if the VPN section is not established and domain controllers are not available). For more information on this, see the article Active Directory Cached Credentials overview.