| Author | Messages | |
partlake
Posts:43
 | | 02/03/2011 12:43 PM |
| Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to fix
this please? They don't want to use a permanent VPN tunnel, because users
are very mobile a connect from many different locations. There is no plan to
use DirectAccess.
Thanks!
| | | |
| dmarelia
Posts:441
| | 02/03/2011 3:17 PM |
| Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could be that the clients are detecting the VPN connection as a slow link which means some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN connections are not receiving a lot of GPO settings. Is there a way to fix this please? They don't want to use a permanent VPN tunnel, because users are very mobile a connect from many different locations. There is no plan to use DirectAccess.
Thanks!
| | | |
| DarraghOShaughnessy
Posts:177
| | 02/03/2011 3:22 PM |
| I hate to mention this but .. I'd check the network connection for IP
fragmentation which can play havoc with kerberos on VPN and stop all
sorts of windows stuff working as UDP will start failing
L
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: 03 February 2011 13:56
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could
be that the clients are detecting the VPN connection as a slow link
which means some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to
fix this please? They don't want to use a permanent VPN tunnel, because
users are very mobile a connect from many different locations. There is
no plan to use DirectAccess.
Thanks!
| | | |
| partlake
Posts:43
| | 02/03/2011 4:03 PM |
| Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do with
password change notification. Remote users can continue to login to their
machines using cached credentials, but when they attempt to connect to the
domain over a VPN after the password has expired, they find themselves
locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could be
that the clients are detecting the VPN connection as a slow link which means
some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to fix
this please? They don't want to use a permanent VPN tunnel, because users
are very mobile a connect from many different locations. There is no plan to
use DirectAccess.
Thanks!
| | | |
| klas9574
Posts:24
| | 02/03/2011 4:26 PM |
| What you need to do is either see if the VPN your using supports connection
before logon, or what many folks do is to create a notification method that
will send out password change notifications through email. You could go
commercial:
http://www.netwrix.com/password_expiration_notifier_freeware.html or just
roll your own through scripting:
http://www.carltoncolter.com/development/2-scripts/13-password-expiration-no
tification-by-email . Just google around and you'll find many more examples
of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do with
password change notification. Remote users can continue to login to their
machines using cached credentials, but when they attempt to connect to the
domain over a VPN after the password has expired, they find themselves
locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could be
that the clients are detecting the VPN connection as a slow link which means
some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to fix
this please? They don't want to use a permanent VPN tunnel, because users
are very mobile a connect from many different locations. There is no plan to
use DirectAccess.
Thanks!
| | | |
| partlake
Posts:43
| | 02/03/2011 4:32 PM |
| Thanks Scott, That pretty much confirms what I thought. I hadn't seen the
CarltonColter script before - thanks for that - v. useful!.
Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 10:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What you need to do is either see if the VPN your using supports connection
before logon, or what many folks do is to create a notification method that
will send out password change notifications through email. You could go
commercial:
http://www.netwrix.com/password_expiration_notifier_freeware.html or just
roll your own through scripting:
http://www.carltoncolter.com/development/2-scripts/13-password-expiration-no
tification-by-email . Just google around and you'll find many more examples
of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do with
password change notification. Remote users can continue to login to their
machines using cached credentials, but when they attempt to connect to the
domain over a VPN after the password has expired, they find themselves
locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could be
that the clients are detecting the VPN connection as a slow link which means
some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to fix
this please? They don't want to use a permanent VPN tunnel, because users
are very mobile a connect from many different locations. There is no plan to
use DirectAccess.
Thanks!
| | | |
| derekodiorne
Posts:15
| | 02/03/2011 4:43 PM |
| I also use a script for this very same reason. It was developed in
house and it works fine. However, how is the application of gpo's
affected if the vpn is not (and cannot be) connected before logon?
----------------------------
Thanks,
Derek Odiorne
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 10:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Thanks Scott, That pretty much confirms what I thought. I hadn't seen
the CarltonColter script before - thanks for that - v. useful!.
Nick
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 10:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What you need to do is either see if the VPN your using supports
connection before logon, or what many folks do is to create a
notification method that will send out password change notifications
through email. You could go commercial:
http://www.netwrix.com/password_expiration_notifier_freeware.html or
just roll your own through scripting:
http://www.carltoncolter.com/development/2-scripts/13-password-expiratio
n-notification-by-email . Just google around and you'll find many more
examples of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do
with password change notification. Remote users can continue to login to
their machines using cached credentials, but when they attempt to
connect to the domain over a VPN after the password has expired, they
find themselves locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could
be that the clients are detecting the VPN connection as a slow link
which means some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to
fix this please? They don't want to use a permanent VPN tunnel, because
users are very mobile a connect from many different locations. There is
no plan to use DirectAccess.
Thanks!
| | | |
| dmarelia
Posts:441
| | 02/03/2011 5:07 PM |
| What it generally means is that per-computer foreground processing will never occur-GP events that require a computer reboot, for example.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Odiorne, Derek
Sent: Thursday, February 03, 2011 7:29 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
I also use a script for this very same reason. It was developed in house and it works fine. However, how is the application of gpo's affected if the vpn is not (and cannot be) connected before logon?
----------------------------
Thanks,
Derek Odiorne
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 10:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Thanks Scott, That pretty much confirms what I thought. I hadn't seen the CarltonColter script before - thanks for that - v. useful!.
Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 10:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What you need to do is either see if the VPN your using supports connection before logon, or what many folks do is to create a notification method that will send out password change notifications through email. You could go commercial: http://www.netwrix.com/password_expiration_notifier_freeware.html or just roll your own through scripting: http://www.carltoncolter.com/development/2-scripts/13-password-expiration-notification-by-email . Just google around and you'll find many more examples of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do with password change notification. Remote users can continue to login to their machines using cached credentials, but when they attempt to connect to the domain over a VPN after the password has expired, they find themselves locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get notifications, and when they do try to change the passwords, they can't because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could be that the clients are detecting the VPN connection as a slow link which means some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN connections are not receiving a lot of GPO settings. Is there a way to fix this please? They don't want to use a permanent VPN tunnel, because users are very mobile a connect from many different locations. There is no plan to use DirectAccess.
Thanks!
| | | |
| derekodiorne
Posts:15
| | 02/03/2011 5:22 PM |
| Are there any ways around this obstacle?
----------------------------
Thanks,
Derek Odiorne
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 10:51 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What it generally means is that per-computer foreground processing will
never occur-GP events that require a computer reboot, for example.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Odiorne, Derek
Sent: Thursday, February 03, 2011 7:29 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
I also use a script for this very same reason. It was developed in
house and it works fine. However, how is the application of gpo's
affected if the vpn is not (and cannot be) connected before logon?
----------------------------
Thanks,
Derek Odiorne
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 10:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Thanks Scott, That pretty much confirms what I thought. I hadn't seen
the CarltonColter script before - thanks for that - v. useful!.
Nick
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 10:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What you need to do is either see if the VPN your using supports
connection before logon, or what many folks do is to create a
notification method that will send out password change notifications
through email. You could go commercial:
http://www.netwrix.com/password_expiration_notifier_freeware.html or
just roll your own through scripting:
http://www.carltoncolter.com/development/2-scripts/13-password-expiratio
n-notification-by-email . Just google around and you'll find many more
examples of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do
with password change notification. Remote users can continue to login to
their machines using cached credentials, but when they attempt to
connect to the domain over a VPN after the password has expired, they
find themselves locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could
be that the clients are detecting the VPN connection as a slow link
which means some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to
fix this please? They don't want to use a permanent VPN tunnel, because
users are very mobile a connect from many different locations. There is
no plan to use DirectAccess.
Thanks!
| | | |
| klas9574
Posts:24
| | 02/03/2011 5:57 PM |
| There are some machine GPO's that are ONLY applied at bootup (for example
Group Policy Preference drive mapping). These will never get applied as the
computer cannot contact your DC at that time. For all other GPO's, after
logging in and starting up the VPN, normal Group Policy refresh will apply.
So, after your users connect to the VPN, they will get most settings within
2 hours (default 90 minutes +- 30 minutes as I recall). If youo run into a
GPO that only applies at bootup, you can work out a workaround for that
setting by applying it "manually" as a Group Policy Preference registry
item.
Scott Klassen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Odiorne, Derek
Sent: Thursday, February 03, 2011 9:29 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
I also use a script for this very same reason. It was developed in house
and it works fine. However, how is the application of gpo's affected if the
vpn is not (and cannot be) connected before logon?
----------------------------
Thanks,
Derek Odiorne
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 10:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Thanks Scott, That pretty much confirms what I thought. I hadn't seen the
CarltonColter script before - thanks for that - v. useful!.
Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 10:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What you need to do is either see if the VPN your using supports connection
before logon, or what many folks do is to create a notification method that
will send out password change notifications through email. You could go
commercial:
http://www.netwrix.com/password_expiration_notifier_freeware.html or just
roll your own through scripting:
http://www.carltoncolter.com/development/2-scripts/13-password-expiration-no
tification-by-email . Just google around and you'll find many more examples
of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do with
password change notification. Remote users can continue to login to their
machines using cached credentials, but when they attempt to connect to the
domain over a VPN after the password has expired, they find themselves
locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could be
that the clients are detecting the VPN connection as a slow link which means
some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to fix
this please? They don't want to use a permanent VPN tunnel, because users
are very mobile a connect from many different locations. There is no plan to
use DirectAccess.
Thanks!
| | | |
| derekodiorne
Posts:15
| | 02/03/2011 6:04 PM |
| What affect does running a gpupdate /force have on computer policy if
they are only connecting vpn after logon? Do the policy's actually get
applied after reboot then?
----------------------------
Thanks,
Derek Odiorne
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 11:37 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
There are some machine GPO's that are ONLY applied at bootup (for
example Group Policy Preference drive mapping). These will never get
applied as the computer cannot contact your DC at that time. For all
other GPO's, after logging in and starting up the VPN, normal Group
Policy refresh will apply. So, after your users connect to the VPN,
they will get most settings within 2 hours (default 90 minutes +- 30
minutes as I recall). If youo run into a GPO that only applies at
bootup, you can work out a workaround for that setting by applying it
"manually" as a Group Policy Preference registry item.
Scott Klassen
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Odiorne, Derek
Sent: Thursday, February 03, 2011 9:29 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
I also use a script for this very same reason. It was developed in
house and it works fine. However, how is the application of gpo's
affected if the vpn is not (and cannot be) connected before logon?
----------------------------
Thanks,
Derek Odiorne
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 10:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Thanks Scott, That pretty much confirms what I thought. I hadn't seen
the CarltonColter script before - thanks for that - v. useful!.
Nick
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 10:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What you need to do is either see if the VPN your using supports
connection before logon, or what many folks do is to create a
notification method that will send out password change notifications
through email. You could go commercial:
http://www.netwrix.com/password_expiration_notifier_freeware.html or
just roll your own through scripting:
http://www.carltoncolter.com/development/2-scripts/13-password-expiratio
n-notification-by-email . Just google around and you'll find many more
examples of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do
with password change notification. Remote users can continue to login to
their machines using cached credentials, but when they attempt to
connect to the domain over a VPN after the password has expired, they
find themselves locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could
be that the clients are detecting the VPN connection as a slow link
which means some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to
fix this please? They don't want to use a permanent VPN tunnel, because
users are very mobile a connect from many different locations. There is
no plan to use DirectAccess.
Thanks!
| | | |
| klas9574
Posts:24
| | 02/03/2011 6:08 PM |
| What I posted are just example. There's a lot out there, so search for
something that will work best for you. I use a modified version of one
written by Michael B. Smith.
Scott Klassen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 9:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Thanks Scott, That pretty much confirms what I thought. I hadn't seen the
CarltonColter script before - thanks for that - v. useful!.
Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Scott Klassen
Sent: Thursday, February 03, 2011 10:13 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
What you need to do is either see if the VPN your using supports connection
before logon, or what many folks do is to create a notification method that
will send out password change notifications through email. You could go
commercial:
http://www.netwrix.com/password_expiration_notifier_freeware.html or just
roll your own through scripting:
http://www.carltoncolter.com/development/2-scripts/13-password-expiration-no
tification-by-email . Just google around and you'll find many more examples
of scripts for this.
Scott Klassen
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 8:50 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Hi and thanks!
The question has shifted slightly I'm afraid - the real issue is to do with
password change notification. Remote users can continue to login to their
machines using cached credentials, but when they attempt to connect to the
domain over a VPN after the password has expired, they find themselves
locked out of any resources (like email).
Because they're "off the network" most of the time, they don't get
notifications, and when they do try to change the passwords, they can't
because they're locked out!
Thanks for your assistance! Nick
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, February 03, 2011 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Group Policy over VPN connection
Nick-your posting is correct and welcome to GPTalk!
As to your question, what policy areas are not being received? It could be
that the clients are detecting the VPN connection as a slow link which means
some GP areas won't process by default.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nick Portlock
Sent: Thursday, February 03, 2011 3:18 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy over VPN connection
Is this the correct way to post a question please?
Users (and computers) connecting to the corporate network via VPN
connections are not receiving a lot of GPO settings. Is there a way to fix
this please? They don't want to use a permanent VPN tunnel, because users
are very mobile a connect from many different locations. There is no plan to
use DirectAccess.
Thanks!
| | | |
|
|