I've recently taken over an environment where everyone uses a shared Active Directory (AD) login for their computers. I'm working to transition everyone away from this setup, but I have a specific challenge with a handful of remote users. These individuals use shared logins on their laptops and access the network via VPN. I want them to start using their own logins, but since they never come into the office, it's tricky. I could take the time to walk each person through the process, but that's not practical.
We have a Remote Monitoring and Management (RMM) system in place, and I'm wondering if there's a way to cache AD credentials on their computers without needing their login details. All users already have their unique AD accounts with passwords that I can't reset for this purpose. Profile migrations aren't a concern, so I'm really just focused on getting these remote users off the shared login without their physical presence. Since they might struggle with instructions to log in as another user through VPN, I'm aiming for a straightforward solution like simply clicking 'other user' to log in.
2 Answers
Have you considered the idea of rolling out the changes to Azure AD or Hybrid with MFA? It might save you time in the long run. Since you're planning to shift everything to Azure eventually, doing it now could be a good call and minimize disruption before you officially make the move.
Honestly, a couple dozen users shouldn’t take too long to transition, even if you have to do each one personally. With a bit of prep, you could probably get everyone switched over in a week or two without disrupting their workflow too much.
It's actually a couple dozen users, and management wants the switchover to happen all at once for specific reasons I can't disclose. So that's part of the complexity here.
I appreciate the suggestion, but we don't currently have Intune licensing for policy management, so a hybrid solution isn't feasible right now. We're only syncing to Azure for password purposes, and we really need to maintain our local Active Directory due to certain on-prem resources. Moving to Azure is definitely on the agenda, but we want to resolve the shared login issue first.