Windows - admin auth on first run

Hi,
I think our issue is similar to the post linked below, but just wanted some further clarification.

We have 23 sites scattered around the country. These are all linked with standard IPSec site-to-site VPNs back to our head office. Some of our devices are laptops, which we’re using ZeroTier on for when they’re out of the office. Unfortunately, when they’re in the office, the performance is horrific with ZT turned on (perfect if I turn ZT off, or if ZT is on and they’re on our guest network). It just seems to be when it has 2 valid routes to our datacentre (one via the IPSec network and one via ZT).

This means that they need to manually disable ZeroTier whenever they come into the office and manually re-enable it when they’re at home or on the road.

We have the issue where this isn’t possible, due to the UI needing admin access on first run for each account.

We’re deploying via RMM, so can add steps to the install sequence. Having read the topic below, it seems we need to copy “C:\ProgramData\ZeroTier\One\authtoken.secret” to “C:\Users<username>\AppData\Local\ZeroTier\One\authtoken.secret”

Is that ALL we need to copy to enable the UI without admin rights? Or are there other files we need to copy to make this issue go away?

Bypass/Over ride Admin Authorisation on first run - MacOS - Community Support - ZeroTier Discussions

Thanks in advance!

That should do it, unless I’m forgetting something.


Maybe we can figure something out so users don’t need to leave the network.

Sometimes making the ZeroTier managed route a little larger helps in these scenarios.
for example, if your office subnet is /24, make the zerotier route /23.

Or there should be a way in windows and macos to run a leave/join script based on location.

Yeah, it would be good to figure out why it does it to be fair. It’s odd - it doesn’t always do it, and when it does, it’s not always all laptops. I can’t just get my head around it. Today though, it seems to be affecting all machines…

I’m curious, any idea why making the zerotier router a /23 works? Interestingly, the routes table on Windows only shows a single route to our DC - when it’s running through IPSec it just uses the default gateway (the router). Personally, I would’ve thought that Windows would take the one and only route to push all traffic through ZT, but :man_shrugging:

Yeah, my other question was so I can run a script to disconnect & reconnect.

Thanks for the help!