Hello @Alexandru ,
Thank you for posting here.
To better understand your question, please confirm the following information at your convenience.
1.Which domain does the machine belong to(such as domain 1), and then the user logs in to initiate a remote using stored AD credentials?
2.Which domain account does the user belong to (such as domain 1), and then the user logs in to initiate a remote using stored AD credentials?
3.Which domain does the stored AD credentials belong to (such as domain 2)?
4.Based on "and after that they open a VPN to the office. When they try to access shared resources, they get denied, as thy are not actually logged in to the domain." Is there a credential dialog box popping up for you to provide credentials when they try to access shared resources?
5.If so, what domain credential did you provide (such as domain credential in domain 2)?
6.Would you please provide the screenshot with error message when they get denied?
Should you have any question or concern, please feel free to let us know.