In this post, we’ll look at two scenarios that involve establishing a VPN connection before logging in to Windows. In the first case, we need to authenticate to a domain to login. In the second case, the connection needs to be established automatically without a user.
NOTE: This article pertains to the built-in VPN client in Windows. There is however some discussion of Cisco clients in the comments below. In fact, there is a lot of good discussion in the comments below. Thanks to everyone for posting. Please feel free to participate.
Scenario 1: Authenticating to A Domain At Login
Windows XP
At the Log On to Windows dialogue box, fill in the User name and Password fields. Select your domain from the Log on to drop down. Then check the Log on using dial-up connection checkbox. (Click Options >> to reveal the Log on to drop down and dial-up checkbox if they are hidden.) Click OK.
The Network Connections dialog box will appear. Select your VPN connection from the drop down. Click Connect. The standard VPN Connect box will appear. Connect as normal. Once the VPN connection is established, the original Log On to Windows user name and password will be applied and you’ll be logged in.
Note: In the process above, you may receive a dialogue box asking for area code and other dialing options. Just humor Windows and fill it out. It won’t matter.
IMPORTANT: The “Anyone who uses this computer” radio button must have been checked when the VPN connection was created. Otherwise the VPN will not be present in the Network Connections drop down. If this is the case, just log on as a local administrator and recreate the connection.
Windows 7
At the login screen, click the Switch User button. A Network logon button will appear in the lower right corner next to the power button. Click this button and you will be presented with buttons for available network connections. Click on the button for your VPN. Enter your Username and Password, and click the arrow button (or press Enter).
IMPORTANT: The “Allow other people to use this connection” checkbox must have been checked when the VPN connection was created. Otherwise the VPN will not be present among the available network connections. If this is the case, just log on as a local administrator and recreate the connection.
Scenario 2: VPN Connection Without User Interaction
Credit where credit is due: The process in this scenario 2 section is drawn from this blog entry, which I stumbled upon early in my research of this topic.
Windows XP
What we’re going to do is install a system service that is started at boot and calls a batch file. The batch file will invoke a command that will start the VPN.
You will need three files available from Windows Server 2003 Resource Kit Tools. At the time of this writing, the download is available from Microsoft here. Run the executable to unpack and install the tools. Note the directory where the installer puts the tools.
1. Put the commandrasdial connection-name username password into a batch file and name it autoexnt.bat.
- Connection-name is the name you gave the VPN connection when you created it.
- The “Anyone who uses this computer” radio button must have been checked when the VPN connection was created.
- Documentation on the rasdial command can be found here.
2. In the directory created by the Resource Kit Tools installer, locate autoexnt.exe, instexnt.exe, and servmess.dll. Move those files and autoexnt.bat to %SystemRoot%\System32\.
3. From a command prompt, run instexnt.exe install to install the service.
- Documentation on the AutoExNT service can be found here.
You’re done. Next time the machine boots, it will automatically establish the given VPN connection.
Windows 7 (64-bit)
Follow the process outlined above, but in step 2, transfer the files to %SystemRoot%\SysWOW64\.
- The files must be transferred to this directory because they are 32-bit. 32-bit executables go in the SysWOW64 directory, and 64-bit executables go in the System32 directory. A discussion of why it works like that can be found here.
Windows 7 (32-bit) and Vista (32 & 64-bit)
I have not tested this on Windows 7 32-bit or on any version of Vista, though I imagine it would work just the same.
Edit: A reader below has reported success on Vista.
Also: Check out this related article for an alternate method that might suit your needs.
Miscellaneous IT Pimpery 
Hello my name is Anthon, I really liked your article! Nice work
Cheers buddy
Always used 3rd party tools to establisdh a connection before logon. Never realised these options existed – I though the logon via dialup is from years ago when dialup was around.
Regards
Hi,
thanks for the article, I ‘ve got two additional questions to scenario 2:
1. I am using my university’s VPN. How can I find out the connection-name? I am using their special LogIn porgram (Juniper), so I only used username and password so far.
2. How can I uninstall what I installed in step 3?
Thanks!
Hi Joe,
1. The connection name is what is displayed when you look at the network adapters. E.g., Local Area Connection, CompanyVPN, etc. Since you are using third party VPN software, it’s quite possible that the VPN connection will not show up with the other network adapters. That was case when I last used a Juniper VPN (man years ago). Speaking of Juniper specifically, I do not know how one would go about causing the VPN connection to initiate without user intervention. There may be a way, I just don’t know it.
2. Simply run “instexnt.exe remove” to uninstall the service.
Good luck to you.
I have used this otion since xp and windows 2000 were around. now I have a problem with windows 7 ultimate. the “everyone who uses this computer” option is grey out I dont know how to enable it. it is really on my nerve. would u please help me.
That option requires administrator privileges. Does the account you’re using have admin privileges on the computer?
yes, this feature annoyed me too, but then the decision was found. first step, to delete an existing VPN connection. second step, to settle a new one where during making this VPN connection to indicate that every user can connect via this VPN connection. then the option “everyone who uses this computer” will be enabled. though, on Win 7 32 bit this didn’t help, VPN connection before logging in doesn’t work all the same
Thanks for sharing the VPN info. Really helpful ^^
Thanks for the feedback.
Hi Zero,
thank you so much for this helpfull workaround. I have to set this up at one of our employees who is using windows 7 (not sure home or pro). I have successfully tested this one XP, but right now I am having troubles to get this running on my windows 7 pro machine. When I try to start instexnt install I receive the error: failure: OpenService (0x00).
Do you have any idea how to solve this?
greetz,
dominik
Hmm
I don’t think I saw that error when I was testing. If you’re running Win7 64-bit, make sure the files go into %SystemRoot%\SysWOW64\ instead of %SystemRoot%\System32. Otherwise, I’m not sure. When you figure it out, let us know.
Thanks
Hi Zero,
I finally got this up and running. The problem had something to do with the administrator rights. My user is an administrator, but the User Access Control was set up to strong. I temporarly changed it to the weakest level and restarted the system (not sure if this is really necessary). After that I was able to install the service.
greetz
dominik
Interesting. I probably had UAC at a low setting or disabled when I was testing. Thanks for reporting back!
This article is really helpful Thanks !! In this issue with the failure to open service, I got that on the command line but then ran command as administrator. That elevated it properly even though I was testing as a domain admin.
Also, you would need to surround a two word vpn name like “vpn connection” with quotes.
Cary
Hi, I’m using win7 PRO and when I try to switch users there’s no Network logon button nor power button. Any idea?
Interesting. They should be there in the lower right corner. Even if the Network logon button isn’t there, the power button should be. Not sure what’s gong on here. Do let us know if you find out.
If you don’t have dial-up or VPN connection in your Network & Sharing center you will not see this blue button :)
So Create test one.
Thanks. Really helpful. Works fine on Vista pro.
Good deal. Thanks for the confirmation.
Great Article… Was scratching my head trying to work out how to do this for a client of ours while we build their national network and it works great… Doesn’t work with 3rd Party VPN Software, seems to only work with Windows based/built VPN Connections
Cheers,
Ray.
Yes, this is just for Windows VPN connections. Some third party VPN packages provide this functionality automatically (e.g. Cisco VPN client). If this functionality is not provided, you could try using the method in Scenario 2, but instead of calling rasdial, you could try calling the third party VPN.
You mention the Cisco VPN Client… I don’t recall seeing that option in the list when I attempted to connect… I have the Cisco VPN Client installed along with another VPN Connection created through Windows due to that site not migrated yet over to the Cisco VPN Network but it doesn’t bring it up as an option to use… Am I missing something?
Cheers,
Ray.
When I last worked with the Cisco client (a few years ago), it was on Windows XP and the client was available at the login screen. I believe this was a setting in the client. I don’t know how/if it works in current versions. I would hit up Google and see what you find. (Also, this might be applicable: https://supportforums.cisco.com/thread/2032113)
Yes, there is an option when using Cisco VPN to have it come up before login. However with Windows 7 the option goes away…which is why im here trying to figure out how to get it back.
I am trying to get this to work with Cisco VPN. First question is does this work with Cisco VPN clients?
What I discussed in the article pertains only to the built in Windows VPN client. I don’t know if this is possible with a current Cisco client. A lot of people are interest in that. If you find out, would you mind posting back here to let us know?
Hi….for Windows XP, the Cisco client has in its “Options” a button that says “Leave VPN connection while logging off”. Use this button when you are logged in as an existing user, logoff and log back in as the new user. That worked for me. The same page also has an options to start VPN at start-up and seems like it may work as well.
I think I found a way to cheat the system and get this to work with the Cisco VPN Client on Windows 7.
You must have already joined the computer to the domain while remote with an active VPN connection; that is how I got into this mess to start with. :P
1) log in as a local user
2) establish vpn connection
3) instead of logging out, select switch users
4) now try domain login; it should work!
Thanks, Alex!
Nice one! I needed this tip to avoid flying half way round the world.
Alex,
that works just right! thanks a lot!
-worldlock
This article is really useful, thanks a lot to the author.
However, I would to like to add something. I tried this way of launching VPN connection on several machines with Windows XP, 7 32 bit, 7 64 bit. And I was surprised because on one machine this approach worked well but on another it didn’t showed signs of working though the service AutoExNT has been created in all cases.
Then I spent two days to find decision skimming through the Internet. Someone offered to lauch autoexnt.bat via Task Scheduler, other person suggested to make different changes in registry. I tried some of them but those approaches didn’t help. That was like a mystery.
Then I changed my mind that service AutoExNT was launched too early before WiFi Connection starting. VPN tried to establish connection when Internet connection (WiFi) hasn’t yet started. That’s why it’s necessary to make the strict sequence of services starting. First, Internet connection (WiFi) starts and only then after several seconds service AutoExNT goes. This possible to carry out with utility ”sleep” which is included in Resource Kit for Windows which was mentioned by the author of this article.
1) We need to create autoexnt.bat with the following content:
sleep 15
rasdial.exe VPN-Connection-name Login Password
the line ”sleep 15” means that before performing rasdial.exe 15 seconds will hold. You can set any number of seconds you need, maybe the Internet connection starts earlier and it’ll be enough to set 5 seconds or 10. 15 seconds is only my case.
2) We need to put autoexnt.exe, instexnt.exe, servmes.dll, autoexnt.bat and sleep.exe in C;/Windows/system32
3) We type in command line: instexnt.exe install
After these corrections VPN connections on computers with XP, 7 32 bit, 7 64 bit begin working before loggin in to Windows
and tha’s all. once again thanks a lot to the author of this article!
That is an excellent point! A wired connection generally initializes quickly, but a wireless connection will often take a little longer to get up and going. Thank you very much for bringing up this point and for sharing your solution!
Hello, nice article, but i have some questions.
a) i tried this method at windows xp client, but it didn’t work. In my event viewer of the xp client, says that the domain can’t be found.
I tried to include in the .bat file, some sleep, also to ping first google.com, as is saying someone in the “http://blog.kamens.us/2007/03/25/starting-a-vpn-automatically-on-boot-with-windows-xp/” but it didn;t work too. in the log file, i see only that the client connected to the vpn, at the time i logged in at windows using dial-up connection in the login screen . Can you give me some advises what i’m doing wrong?
Also i see when i am connected at pvn, that it gives lets say an ip : 123.234.143.86
and the mask is : 255.255.255.0 and gateway :123.234.143.86 (the same as ip). is that correct? Because when i am in a client in my domain i have different mask and gateway. Can i change this settings from somewhere?
b)When we have through Active Directory some Computer policy, for Software installation and script, at start up of the clients computer that are joined in the domain , with this method can the client, that is connected through vpn, take this Software at computer start up?
Thanks
George
Hi George,
a.1) That’s frustrating. I don’t know what’s going wrong.
a.2) It’s common to have the same IP address for your client and the gateway when you’re connected to a VPN. It’s not a problem.
b) I am not an Active Directory expert. I don’t know for sure. I can tell you that whenever I have used a VPN to connect to a domain, those kinds of scripts have not run.
Good luck to you,
Z
Thanks for your reply Zero,
The article is amazing even if i didn’t find solution at my problem
Thank you for you kind words. You might want to try increasing the sleep time to give your system a bit more time to get networking up and going. I don’t know. If you resolve the problem, please considering coming back here and sharing what you learn.
Hey, I am using Window7 Enterprise edition 32 bit. I can’t find the blue button near the red ‘shutdown’ button. How do I then connect to the domain controller for logging in??? Please help! Urgently solution required.
Okay, I got it. First you need to login on an administrator account onto your Windows 7 as you normally do. After that you create a VPN connection with the settings “anyone can dial up”. Next you establish a VPN connection. Now you join your machine to the domain controller. Once done, it will restart your machine. Please restart. When it boots up, click on the “Switch User” button. Then you’ll be able to see the Blue button & dial-up the VPN using your credentials. It will work. If anybody gets some problem please get back. :)
Good stuff. Thanks, Vinay.
Hi, I can get all the vpn connections this way but if I choose to go with certificate as authentication then it wouldn’t show, could you please help
Interesting. I never tested with client certificates. Please let us know how you get it working.
Hello i Successfully Set up a VPN on my router and everthing is working Good:)!! but i have small problem i trying to make it where you can log in the VPN BEFORE window load up useing the the switch user and then you click the vpn button in the lower right hand corner of the screen but when i put my user name and password in.IT ” says bad usernames and password” but i can mannual put in inside window and it work fine and everthing work but i cant put it in before the window log in screen and i need to be able to get other account that are located on my domain now again my VPN is set up on my router NOT my Server which i dont think that would make a differences but i dont know !! Now i already made and sure and it checked the box that say ” Allow other Users on this computer to use this VPN COnnect’ i checked that box and i was also reading on other forms where people were saying if the date and time was not in sync with the server or whatever then that would mess it up so i made sure all the computer well sync together ( Date and time) and that didnt help see when i put my user name and password in the window log in screen trying to get into the VPN it will all the passed the register computer with network and then it will show ” welcome and then it bring up the message log into failed wrong username or bad password when i just litterally just use it to mannual log into the vpn through inside window i dont know…. i need help please thank you have a great day
That is frustrating. Are your user name and password the same for the VPN and your Windows domain login? I’m not able to test right now but I’m wondering if you are connecting to the VPN successfully and then the actual Windows login is failing.
Good post. I learn something totally new and challenging
on blogs I stumbleupon everyday. It’s always useful to
read through content from other writers and practice a little something from
their websites.
ok, here it is many years later and this it still relevant. I have a 2012R2x64 test server setup on a VM and installed this with an administrative command prompt without any issues (UAC or otherwise). VPN connected (I was monitoring with a separate connection), server still at login screen. I logged in, joined the remote domain and rebooted without any issues. Logged into the local server using a domain account, my login script was processed properly – damn can this really work? Next I will promote to a DC and setup DFS to sync folders and see how that goes. Thanks for leaving this little gem sitting here for so long.
Fantastic! I’m glad (and a bit surprised) this post is still helping folks. Right on.
Thanks for posting this awesome article. I will come back
for sure to check your future posts!
Is there any way to make this happen without passing the plain password?
You mean with autoexnt.bat? You might be able to have the BAT file execute a command that returns the password and then read the password into a variable. But whatever that command/process is, if it can get your password you’re probably not much safer than hard-coding the plain text password directly.