User outside my local network

Salves 501 Reputation points

Hello friends,

I need to find a solution to connect users outside of Brazil to my local domain that is synchronized with my onpremises AD.

Currently the only solution we have is to connect these users to a VPN client so that they can change their network password for example or use Azure AD with Writeback so that they can change it with AD SelfService.

However, my goal is to apply a GPO policy on computers to protect and standardize them.

I know that there is AADDS with Intune that could be a way but I've already tested and realized that it won't deliver what I need.

Currently all my systems are integrated with AD onpremises and those of Azure/Office 365 also using ADConnect.

Has anyone implemented or seen a similar scenario?


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,298 questions
Microsoft Entra
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Devaraj G 2,091 Reputation points


    if there no much dependencies with domain controllers. I would recommend you to move all your workstation to Azure AD with Intune combination.

    However to answering your question, cant you use site to site VPN instead of client VPN ? so the GPO polices and other AD domain related stand intact to your outside network. But if the users are scattered everywhere and not in a dedicated location, then you can consider checking "Direct Access"
    I have used direct access to tackle similar kind of situations. But it involves design/plan and infra foot print.

    DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections. With DirectAccess connections, remote client computers are always connected to your organization - there is no need for remote users to start and stop connections, as is required with VPN connections. In addition, your IT administrators can manage DirectAccess client computers whenever they are running and Internet connected.

    1 person found this answer helpful.
    0 comments No comments

  2. Limitless Technology 39,436 Reputation points

    Hello @Salves

    I would recommend the next article:

    Application of Group Policy During a Remote Access Connection

    Group Policy is applied during a remote access connection as follows:
    When using the Logon using dial-up connection check box on the logon prompt, both User and Computer Group Policy is applied, provided the computer is a member of the domain that the remote access server belongs to or trusts. However, computer-based software installation settings are not processed. This is because normally computer policy would have been processed before the logon screen, but since no network connection is available until logon, the application of computer policy is done as background refresh at the time of logon.
    When the logon is done with cached credentials, and then a remote access connection is established, Group Policy is not applied during logon. For example, if users connecting through a VPN connection are logging in via cached credentials, folder redirection settings will not be processed, because folder redirection policy can only be processed at user logon, not in the background refresh.
    Group Policy is not applied to computers that are members of a foreign domain or a workgroup. Although the connection may still be made, access to domain resources may be affected (because of mismatched IPSec security).

    Hope this helps with your query,


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments