GPO / cached login? Possible?
- From: Aidan <Aidan@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 May 2007 06:57:02 -0700
Is someone able to tell me whether this in theory should work.
- User account created in OU not affected by Group Policies
- Machine is signed in connected to the network and User logs in
- Machine is disconnected from network after logging out
- User account is moved into OU where Group Policies apply
- User logs into machine using cached credentials
- User connects to the network (via VPN or LAN)
In this event, should User policies take effect at the next refresh
interval? I understand that policies such as Folder redirection cannot take
place once logged in. Will these take effect at the next login even if it is
a cached login?
I think I am going to have to open a support call but I want to ensure that
I am not attempting something that is not possible.
Any help would be much appreciated.
Thanks
Aidan
"Aidan" wrote:
Mi Mark,.
The group policies which are missing/not applying are user policies. Most
notable is the omission of the Folder redirection / proxy settings and our
'locked down' user settings. They are all part of our 'standard user policy'.
I have tried the ICMP test and the client passed without any issues. A
steady reply from a DC.
Often our machines are built with the user not moved to the OU at which the
policy applies until the machine is fully deployed. I would have hoped that
the policies would apply upon their next login after the policy refresh.
I have tried the disable slow link just incase although I did try this before.
Is there anything else you could suggest that I try?
Thanks
Aidan
"Mark Heitbrink [MVP]" wrote:
Hi,
Aidan schrieb:
I am trying to discover whether a user who logs into their computer offline
(no network cable attached) should be able to later connect to the network
(without a logoff) and have group policies updated.
I am looking at this from the prespective of Remote Access as the VPN client
that we are using (Checkpoint) does not give us an option to sign into the
VPN prior to login. The clients get a message stating that the user polcies
cannot be found.
Some CSE can´t be processed in background (scripts, software) and some
are not processed because of a detected slowlink (scripts, software,
folder redirection per default).
Some can be manipulated NOT to run in background and some to run
even on detected slow link. Registry + Security CSE are always processed,
even if slowlink is detected.
Take a look in
Compconf\Adm TEmpl\System\Group Policy
"Name of Client Side Extension"
Another problem: Fragmented ICMP pakets are blocked by some Firewalls.
Behavior:
After logging in, ping to the DC always works, but no GPO, because the
ICMP package to detect a slow link and to connect to a DC is 2KB.
If the package is fragmented and blocked by the firewall, the client
always diagnose it as "offline", because the DC does not answer ...
Simple Test, if your firewall blocks it:
ping yourserver -l 2048
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
- Follow-Ups:
- Re: GPO / cached login? Possible?
- From: Darren Mar-Elia
- Re: GPO / cached login? Possible?
- From: Mark Heitbrink [MVP]
- Re: GPO / cached login? Possible?
- References:
- Re: Can a GPO apply after a cached login?
- From: Mark Heitbrink [MVP]
- Re: Can a GPO apply after a cached login?
- From: Aidan
- Re: Can a GPO apply after a cached login?
- Prev by Date: Office 2007 adm templates
- Next by Date: Re: Can a GPO apply after a cached login?
- Previous by thread: Re: Can a GPO apply after a cached login?
- Next by thread: Re: GPO / cached login? Possible?
- Index(es):
Relevant Pages
|
Loading
