Handling domain joined laptops that are rarely on the local LAN?

Solution 1:

Depending on the work they have to do inside the Domain, consider working with a Terminal Server, (or just a Host Inside your company Network).

They could even work with their private Hardware (if they want to) and you are in full control of the Terminal Server. Just give them access via VPN, or directly via RDP (if you have trust in Microsoft protocols :)

OpenVPN would also have a service feature where you could connect to a VPN an system startup. You could pare this with Certificate Authentication (unexportable from the certificate store) and a revocation list for NOT allowing users to connect anymore.

openvpn config needs to edited something like this:

ca "YOUR_CA.pem"
cryptoapicert "SUBJ:OpenVPN-Client"

the certificate (with a matching subject name) needs to be imported, inside the users certificate store (the user who starts up the openvpn service)

Solution 2:

One common way of handling this is to start the VPN connection before user logon. For instance, the Cisco AnyConnect VPN client has this feature:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml