[gptalk] Re: GPO applicability when not connected to a network/domain
- From: "mike kline" <mkline@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Wed, 13 Feb 2008 12:16:14 -0500
Shane,
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/gp/341.mspx?mfr=true
That is where the option is that Darren was talking about.
Thanks
Mike
On Feb 13, 2008 11:58 AM, Shane Williford <shane.williford@xxxxxxxxxx>
wrote:
> There is no checkbox anywhere that I can see under -> Users -> Windows ->
> IE Maintenance. I have 'Browser User Interface', 'Connection', 'URL',
> 'Security', & 'Program' settings…none of which has that option in it. L
>
>
> ------------------------------
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Darren Mar-Elia
> *Sent:* Wednesday, February 13, 2008 10:49 AM
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
>
>
> Under that policy, within IE Maintenance Processing, there is a check box
> to say, process even if the GPOs have not changed.
>
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Shane Williford
> *Sent:* Wednesday, February 13, 2008 8:47 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
>
>
> How do I set my IE Maintenance GP to force a refresh? I do have a setting
> in one of my group policies at the domain level (Computer Config -> Admin
> Templates -> System -> Group Policy) to refresh every 15 minutes; is that
> what you're refering to? (I assume not)…
>
>
> ------------------------------
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Darren Mar-Elia
> *Sent:* Wednesday, February 13, 2008 10:34 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
>
>
>
>
>
>
> *From:* tools@xxxxxxxxxx [mailto:tools@xxxxxxxxxx]
> *Sent:* Wednesday, February 13, 2008 8:30 AM
> *To:* 'gptalk@xxxxxxxxxxxxx'
> *Subject:* RE: [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
>
>
> You're correct—policies don't refresh unless there is a change, or unless
> you modify this default behavior by forcing a refresh on every processing
> cycle. I know some people that do this for IE Maintenance policy as a matter
> of course because its so flaky. So, yes, if your users wanted, they could
> undo their proxy while at work with that reg file. Though presumably they
> would not be able to get internet access if they did that?
>
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Shane Williford
> *Sent:* Wednesday, February 13, 2008 8:20 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
>
>
> Darren,
>
> In regards to the issue I have below, let me ask this – I have created a
> .reg file for my laptop users to run that will disable proxy settings while
> not on the network (e.g. for when they're at home). The danger in doing
> this of course is the fact they may run it while at work, thus disabling the
> GPO proxy settings I have. My question is this: if from what I've read on
> your site and seen in numerous dialogs is correct, GPs don't 'refresh' (
> i.e reapply) every so often, UNLESS they change…is that correct? So, if my
> laptop users were to do something ignorant like run this reg file I created
> while at work, their IE Proxy settings would remain disabled until they
> rebooted? (or does a simple log-off refresh policies?)
>
>
> Thanks.
>
> Shane
>
>
> ------------------------------
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Darren Mar-Elia
> *Sent:* Tuesday, February 12, 2008 6:22 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
>
>
> Right. GP settings do stick. They are not unapplied when the machine is
> not on the domain, by design. So there is no way, using GP, to have them
> un-apply when the machine is not in contact with a DC.
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Shane Williford
> *Sent:* Tuesday, February 12, 2008 4:18 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
>
>
> Darren,
>
> Thank you for the quick reply. OK, so let me see if I got this straight -
> you're saying that GP does NOT apply if a computer (in this case, a laptop)
> is not connected to a domain (and thus authenticating to a DC)? For me,
> that's is exactly what I want. But, what I gather is that the GP settings
> that applied while connected to the domain "stick"? (I think I read that
> somewhere in your FAQs...those are awesome, btw)
>
>
>
> Yeah, I didn't want to have to script something, if possible. Our last
> proxy setup was done that way and I wanted to 'clean up' our log-in script,
> so I removed the proxy settings. I may have to go back to that, which isn't
> a horrible thing, but certainly not how I prefer as I'm not a scripting guru
> by any means.
>
>
>
> Shane
>
>
>
> -----Original Message-----
> *From:* gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
> *Sent:* Tue 2/12/2008 5:41 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Cc:*
> *Subject:* [gptalk] Re: GPO applicability when not connected to a
> network/domain
>
> Shane-
>
> Thanks for joining the list. Unfortunately, I don't have good news for
> you. Policy is not applied if a computer is not in contact with a DC. So,
> there is no way (other than Windows Firewall profiles) to have conditional
> policies in effect based on being on or off the network. Even mucking with
> the local GPO won't work for domain joined PCs because if those PCs are not
> in contact with a DC, they simply ignore any changes you try to make to the
> local GPO (to preserve domain precedence).
>
>
>
> Sorry about that. One thing you can probably do is write a script that
> enables and disables the proxy and put a shortcut to it on their desktop,
> with instructions to use it when they are at home. I've done that sort of
> thing in the past and, while not elegant, works.
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Shane Williford
> *Sent:* Tuesday, February 12, 2008 1:45 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] GPO applicability when not connected to a
> network/domain
>
>
>
> "GPO Guy",
>
> Thank you for the great website!...VERY informative!
>
>
>
> I was wondering if you could lead me to the Microsoft documentation (and
> if you could answer) explaining if GPOs get applied to computers (laptops)
> not connected to a domain/network. I have set some IE settings for our
> organization, and have a group that use laptops and work remotely (from
> home) at times. I want them to be able to not have the proxy configurations
> while not connected to the network. Is there a way to configure GP to not
> apply when not connected to the network (other than creating a local policy
> setting for IE)?
>
>
> Thanks for all your help!
>
>
>
> Shane M. Williford
>
> Systems Administrator
>
> MCSE, MCSA Sec, Sec+, Net+, A+
>
> Mazuma Credit Union
>
> shane.williford@xxxxxxxxxx
>
> 816-361-4194 x6012
>
>
>
> Notice: The information transmitted in this e-mail may contain
> confidential and/or legally privileged information intended only for the use
> of the individual(s) named above. Review, use, disclosure, distribution, or
> forwarding of this information by persons or entities other than the
> intended recipient(s) is prohibited by law and may subject them to criminal
> or civil liabilities. Statements and opinion expressed in this e-mail may
> not represent those of Mazuma Credit Union. All e-mail communications
> through Mazuma's corporate email system are subject to archiving and review
> by someone other than the recipient. If you have received this communication
> in error, please notify the sender immediately and delete/destroy any and
> all copies of the original message from any computer or network system.
>
>
Other related posts: