Re: VPN, cached credentials and GPs not applying

From: Darren G (G_at_discussions.microsoft.com)
Date: 11/22/04 

Date: Mon, 22 Nov 2004 03:29:03 -0800

Steven, thanks for the thoughts, but unfortunately I'd already been through a
similar thought process. The problem occurs both with and without a slow
connection. (for general info, are IE maintenance settings affected by slow
links? My understanding is that they aren't.)

And as well as giving policies time to apply through refresh, they have also
been forced via gpupdate (with & without the force option). All to no avail.

My gut feel is that it is something to with either using cached credentials
(seeing as it work when on LAN), but again my understanding is that GPs
should still apply even with cached credentials?

Anybody else any ideas?

Thanks
D

"Steven L Umbach" wrote:

> A couple things to be aware of and some things to try.
>
> How and if Group Policies are applied can be affected by "slow link
> detection" that will come into effect on a VPN connection. The link below
> explains this more and how to change the settings for it.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;227260
> http://support.microsoft.com/default.aspx?scid=kb;en-us;227369
>
> The other problem is that user/computer policy may take up to two hours to
> refresh and depending on the length of time a user is connected, they may
> not have the policy refreshed while logged on. You can change the default
> refresh and random period offset for both computer and user configuration
> under computer or use configuration administrative templates/system/group
> policy. You may want to shorten that significantly [at lease temporally] for
> VPN users. Also you will notice other settings under Group Policy [same
> place - system/group policy] that you may want to try to implement such as
> "registry policy processing" and "IE maintenance policy processing" where
> you may want to enable both for "process even is Group Policy objects have
> not changed". You may want to run the gpresult and netdiag support tools on
> one of the computers after logging on via VPN [over actual wan connection]
> to see what it reports. Also when using the built in VPN client there is the
> option to logon to the domain under properties/options - include Windows
> logon domain which may be worth trying to see if that makes a difference if
> that is not being used. Hopefully some of these changes will help. ---
> Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;321709 -- gpresult.
>
>
> "Darren G" <ng@gillman.org.uk> wrote in message
> news:MPG.1c0884e5a56c8d479897d9@news.individual.de...
> > Hi folks, wonder if this rings any bells ...
> >
> > We have a large mobile workforce who log onto their laptops locally
> > using cached credentials and then connect into the network over a Cisco-
> > based VPN (I.e. no explicit network logon). These users virtually never
> > come into the office, so we need to make any config changes remotely.
> >
> > We are trying to push out updated IE homepages through new group
> > policies. As it is not possible to use policies aligned to groups to do
> > this (unless someone knows how to update the group membership of cached
> > credentials?) we were planning to do it via moving the users into new
> > OUs with the new policies (we need to move from one default homepage to
> > a number of different ones).
> >
> > To my understanding this should work over the VPN, with the policies
> > applying either via periodic refresh or forced gpupdates. However, not
> > so!
> >
> > A GPresult shows the correct policies having been applied (and not
> > applied as appropriate) but the actual verbose gpresult detail shows
> > that the contents of the new policies have not actually been
> > incorporated into the users active settings. It will even show active
> > settings for policies that have been disabled since the laptops were
> > last on the LAN. Although I'm pretty sure these are asynch changes,
> > we've tried logging in/out but to no avail.
> >
> > When these laptops are logged directly into the LAN the policies then do
> > apply successfully.
> >
> > This is driving my crazy and causing the business a lot of pain. Can
> > anyone help out?
> >
> > many thanks
> > Darren
> >
> >
> > --
> > Darren
>
>
>

Relevant Pages

  • Disable IE Standard Buttons toolbar
    ... We are replacing a kiosk which is used to access a portal on our Intranet. ... Most of this workstation's settings are controlled by Policies upon ... connection to the network. ...
    (microsoft.public.windows.inetexplorer.ie6.ieak)
  • Re: Local GPO refreshes outside of refresh interval
    ... I looked through my GPO's Windows Settings section ... > Some policies, including IE policies, have a checkbox that defines if this ... > it should apply EVEN if the value defined in GPO did not change since the ... we are talking about one particular policy: ...
    (microsoft.public.windows.group_policy)
  • Re: Assigning File and Folder Permissions Via Group Policy
    ... Putting all of our NTFS tweaks in one GPO is attractive to me because we ... rights" policy, and then if we need to break them out later we'll just cross ... my organization has not made a lot of use of group policies. ... A few policies with a lot of settings in each policy may not be the best ...
    (microsoft.public.windows.group_policy)
  • Re: Assigning File and Folder Permissions Via Group Policy
    ... A few policies with a lot of settings in each policy may not be the best ... permissions changes into one group policy that gets pushed out to everyone, ...
    (microsoft.public.windows.group_policy)
  • Re: Registry tatooing
    ... I'm working on a utility that will clean up GP policies and preferences. ... Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at http://www.sdmsoftware.com/products.php ... Administrative policies work very similar to NT4 System Policies. ... Well, to his disliking, the settings remained. ...
    (microsoft.public.windows.server.active_directory)