This is a tutorial on how to join a Windows computer to a domain over a VPN connection. Recently, we reinstalled Windows on our laptop, and now we need to connect to our domain from my home office and set up my domain profile.
In Windows 10 and 11, you can join your device to an Active Directory domain via VPN. However, after joining, you need to restart your computer to establish a secure connection with a domain controller. The challenge is that without the VPN session, you can’t authenticate to domain controllers or log in with your AD domain account.
There is a workaround to join a new Windows device to the domain over VPN:
- Log in to your device with a local administrator account;
- Configure the Windows VPN client and connect to your company VPG gateway;
- Join your Windows device to the Active Directory domain;
- (Optional) Add your domain account to the local admins group on your home device;
- Reboot your computer and log in with a local administrator account;
- Connect to the VPN and switch Windows user account;
- Sign in under your domain user account;
- Reconfigure your VPN connection to allow you to connect to VPN before logging into Windows.
Table of Contents
How to Join a Windows Computer to a Domain over VPN
Log in to your computer using a local account with administrative privileges.
Create a new Virtual Private Network connection to your corporate VPN gateway.
- Open the “Windows Settings” → “Network & Internet”;
- Choose the “VPN” tab and click on “Add a VPN connection”;
- Fill in the fields as follows:
“VPN Provider” → Windows (built-in);
“Connection name” can be any;
“Server name or address” → the FQDN or IP address of your corporate VPN server;
“VPN type” → “Automatic” (you can choose manually);
Type of sign-in info (user name and password).
- Click on “Save” button.
- Connect to your VPN gateway.
Join your computer to the AD domain
- Open the System Properties dialog by running the sysdm.cpl command;
- Click on the “Change” button on the “Computer Name” tab;
- Select the option “Domain”, type your AD domain name, and press OK;
- Enter the credentials of the user who is allowed to join the computer to the domain;
- Restart the computer.
Hint. Also, you can join your Windows device to Active Directory domain using PowerShell:
Add-Computer -DomainName theitbros.com –verbose
- Log in with local administrator credentials;
- Connect to the VPN again.
- Now add the domain user you will be using to the local administrator’s group on the computer. You can add a domain user account to the local group by its SID.
Ask your colleagues to find your domain account SID by using the following PowerShell command:
Get-Aduser M.Becker|select sid
You can now use PowerShell to add this account by its SID to the local Administrators group:
Add-LocalGroupMember -Group administrators -Member S-1-5-21-2927053466-1818515551-2824591131-4101
Then press CTRL+ALT+DEL and select the “Switch user” option.
Hint. If the Switch User option is missing, check the local GPO option Hide Entry Points for Fast User Switching under the following section: Computer configuration > Administrative Templates > System > Logon.
Enter your domain user credentials (use the following format of the username: domain\username) and login to a computer.
You are now logged in with your domain account on a domain-joined machine.
After you sign in for the first time, your domain user credentials are cached locally and you can sign in with your domain account even if the VPN is not connected.
Connect to VPN Before Sign-in Windows
You can use a more elegant solution that allows you to establish a VPN connection before the user logs in to Windows, without having to switch between local and domain accounts.
Suppose you’ve configured a VPN connection under the local user. These VPN connection settings are stored in the rasphone.pbk file in the user profile folder. (%userprofile%\AppData\Roaming\Microsoft\Network\Connections\PBK). In order to make this VPN profile available to all users of the computer, you need to copy the file containing the settings for the VPN connection to the public profile C:\ProgramData\Microsoft\Network\Connections\PBK.
-
- Copy the rasphone.pbk file manually by using File Explorer or with the PowerShell command:
Copy-Item $Env:USERPROFILE\AppData\Roaming\Microsoft\Network\Connections\PBK\rasphone.pbk $Env:ALLUSERSPROFILE\Microsoft\Network\Connections\PBK
- Logoff Windows;
- On the Windows logon screen, click the Network Connections icon in the bottom right-hand corner of the screen;
- Specify the user credentials to connect to the VPN server;
- Your computer should establish a VPN tunnel and you should be able to log in to Windows using your domain account.
- Copy the rasphone.pbk file manually by using File Explorer or with the PowerShell command:
To create a public VPN connection profile that is available on the Windows logon screen, you can also use the Add-VpnConnection PowerShell cmdlet with the AllUserConnection parameter enabled.
Add-VpnConnection -Name WorkVPN -ServerAddress vpn.theitbros.com -AllUserConnection $true -SplitTunneling $true -AuthenticationMethod MSChapv2 -TunnelType Automatic -EncryptionLevel Required -PassThru
2 comments
I guess he means add your domain\user1 to Administrators group
I’m experiencing an issue where I have joined the remote pc to the remote server’s domain controller. When I log back into the domain joined account, I can no longer establish an OpenVPN connection. If I log out, I can easily establish an OenVPN connection on the local admin account. What’s going on here?