[gptalk] Re: GPO applicability when not connected to a network/domain

  • From: "Shane Williford" <shane.williford@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 13 Feb 2008 13:22:37 -0600

Well, I don't change my policies too often. We obviously use group
policy for many desktop control settings, etc...just what I call normal
stuff. I guess when I'm testing, I can just use the gupdate /force
command & switch for instant application. Is the issue your warning
against deal with congesting the network?

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, February 13, 2008 1:17 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

Yes, but be very sure you really want a 15 minute refresh for all
policy. This seems pretty frequent, depending upon how much you are
using GP and how often things are changing.

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Shane Williford
Sent: Wednesday, February 13, 2008 9:09 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

And, will this refresh according to what I have set (15minutes) in:
Computer Config -> Admin Templates -> System -> Group Policy?

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, February 13, 2008 11:03 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

No, its under Computer Config -> Admin Templates -> System -> Group
Policy -> IE Maintenance Processing

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Shane Williford
Sent: Wednesday, February 13, 2008 8:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

There is no checkbox anywhere that I can see under -> Users -> Windows
-> IE Maintenance. I have 'Browser User Interface', 'Connection', 'URL',
'Security', & 'Program' settings...none of which has that option in it.
:-(

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, February 13, 2008 10:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

Under that policy, within IE Maintenance Processing, there is a check
box to say, process even if the GPOs have not changed. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Shane Williford
Sent: Wednesday, February 13, 2008 8:47 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

How do I set my IE Maintenance GP to force a refresh? I do have a
setting in one of my group policies at the domain level (Computer Config
-> Admin Templates -> System -> Group Policy) to refresh every 15
minutes; is that what you're refering to? (I assume not)...

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, February 13, 2008 10:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

 

 

From: tools@xxxxxxxxxx [mailto:tools@xxxxxxxxxx] 
Sent: Wednesday, February 13, 2008 8:30 AM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: RE: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

You're correct-policies don't refresh unless there is a change, or
unless you modify this default behavior by forcing a refresh on every
processing cycle. I know some people that do this for IE Maintenance
policy as a matter of course because its so flaky. So, yes, if your
users wanted, they could undo their proxy while at work with that reg
file. Though presumably they would not be able to get internet access if
they did that?

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Shane Williford
Sent: Wednesday, February 13, 2008 8:20 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

Darren,

In regards to the issue I have below, let me ask this - I have created a
.reg file for my laptop users to run that will disable proxy settings
while not on the network (e.g. for when they're at home). The danger in
doing this of course is the fact they may run it while at work, thus
disabling the GPO proxy settings I have. My question is this: if from
what I've read on your site and seen in numerous dialogs is correct, GPs
don't 'refresh' (i.e reapply) every so often, UNLESS they change...is
that correct? So, if my laptop users were to do something ignorant like
run this reg file I created while at work, their IE Proxy settings would
remain disabled until they rebooted? (or does a simple log-off refresh
policies?)


Thanks.

Shane

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 12, 2008 6:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

Right. GP settings do stick. They are not unapplied when the machine is
not on the domain, by design. So there is no way, using GP, to have them
un-apply when the machine is not in contact with a DC.

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Shane Williford
Sent: Tuesday, February 12, 2008 4:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

 

Darren,

Thank you for the quick reply. OK, so let me see if I got this straight
- you're saying that GP does NOT apply if a computer (in this case, a
laptop) is not connected to a domain (and thus authenticating to a DC)?
For me, that's is exactly what I want. But, what I gather is that the GP
settings that applied while connected to the domain "stick"? (I think I
read that somewhere in your FAQs...those are awesome, btw)

 

Yeah, I didn't want to have to script something, if possible. Our last
proxy setup was done that way and I wanted to 'clean up' our log-in
script, so I removed the proxy settings. I may have to go back to that,
which isn't a horrible thing, but certainly not how I prefer as I'm not
a scripting guru by any means.

 

Shane

 

        -----Original Message----- 
        From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia 
        Sent: Tue 2/12/2008 5:41 PM 
        To: gptalk@xxxxxxxxxxxxx 
        Cc: 
        Subject: [gptalk] Re: GPO applicability when not connected to a
network/domain

        Shane-

        Thanks for joining the list. Unfortunately, I don't have good
news for you. Policy is not applied if a computer is not in contact with
a DC. So, there is no way (other than Windows Firewall profiles) to have
conditional policies in effect based on being on or off the network.
Even mucking with the local GPO won't work for domain joined PCs because
if those PCs are not in contact with a DC, they simply ignore any
changes you try to make to the local GPO (to preserve domain
precedence).

         

        Sorry about that. One thing you can probably do is write a
script that enables and disables the proxy and put a shortcut to it on
their desktop, with instructions to use it when they are at home. I've
done that sort of thing in the past and, while not elegant, works.

        
        Darren

         

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Shane Williford
        Sent: Tuesday, February 12, 2008 1:45 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] GPO applicability when not connected to a
network/domain

         

        "GPO Guy",

        Thank you for the great website!...VERY informative!

         

        I was wondering if you could lead me to the Microsoft
documentation (and if you could answer) explaining if GPOs get applied
to computers (laptops) not connected to a domain/network. I have set
some IE settings for our organization, and have a group that use laptops
and work remotely (from home) at times. I want them to be able to not
have the proxy configurations while not connected to the network. Is
there a way to configure GP to not apply when not connected to the
network (other than creating a local policy setting for IE)?

        
        Thanks for all your help!

         

        Shane M. Williford

        Systems Administrator

        MCSE, MCSA Sec, Sec+, Net+, A+

        Mazuma Credit Union

        shane.williford@xxxxxxxxxx

        816-361-4194 x6012

         

        Notice: The information transmitted in this e-mail may contain
confidential and/or legally privileged information intended only for the
use of the individual(s) named above. Review, use, disclosure,
distribution, or forwarding of this information by persons or entities
other than the intended recipient(s) is prohibited by law and may
subject them to criminal or civil liabilities. Statements and opinion
expressed in this e-mail may not represent those of Mazuma Credit Union.
All e-mail communications through Mazuma's corporate email system are
subject to archiving and review by someone other than the recipient. If
you have received this communication in error, please notify the sender
immediately and delete/destroy any and all copies of the original
message from any computer or network system. 
NOTICE: The information transmitted in this e-mail may contain confidential 
and/or legally privileged information intended only for the use of the 
individual(s) named above. Review, use, disclosure, distribution, or forwarding 
of this information by persons or entities other than the intended recipient(s) 
is prohibited by law and may subject them to criminal or civil liabilities. 
Statements and opinion expressed in this e-mail may not represent those of 
Mazuma Credit Union. All e-mail communications through Mazuma's corporate email 
system are subject to archiving and review by someone other than the recipient. 
If you have received this communication in error, please notify the sender 
immediately and delete/destroy any and all copies of the original message from 
any computer or network system.

Other related posts: