@PeterE wrote:
I've got enforce machine authentication enabled > should this stay like this? Default rule for machines is allow_all.
We've got it nearly working. Takeover can happen, but when IT takes over, we lose connection? If we check the PC > it's logged on with the user though...
This is going to be complicated :) If your team is taking control of the machine at the login screen as soon as they log in it will do user authentication, but if they are loggin as the local admin or a user not allowed a radius login then you will loose your connection...
In the end I would setup a more restrictive computer role as opposed to allow all (and only allow what you need, DNS, DHCP, AD, RDP, etc...) and then make a domain user or group and add it to the local admin group of those machines (you can do this VIA GPO), then make sure those users can actually authenticate and get a role using 802.1x user authentication.