[gptalk] Re: GPO applicability when not connected to a network/domain

  • From: hans straat <hstraat@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 13 Feb 2008 16:49:11 +0000

that is how you refresh the policy :)


Subject: [gptalk] Re: GPO applicability when not connected to a 
network/domainDate: Wed, 13 Feb 2008 10:47:16 -0600From: 
shane.williford@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxx






How do I set my IE Maintenance GP to force a refresh? I do have a setting in 
one of my group policies at the domain level (Computer Config -> Admin 
Templates -> System -> Group Policy) to refresh every 15 minutes; is that what 
you’re refering to? (I assume not)…
 




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-EliaSent: Wednesday, February 13, 2008 10:34 AMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: GPO applicability when not connected 
to a network/domain
 
 
 


From: tools@xxxxxxxxxx [mailto:tools@xxxxxxxxxx] Sent: Wednesday, February 13, 
2008 8:30 AMTo: 'gptalk@xxxxxxxxxxxxx'Subject: RE: [gptalk] Re: GPO 
applicability when not connected to a network/domain
 
You’re correct—policies don’t refresh unless there is a change, or unless you 
modify this default behavior by forcing a refresh on every processing cycle. I 
know some people that do this for IE Maintenance policy as a matter of course 
because its so flaky. So, yes, if your users wanted, they could undo their 
proxy while at work with that reg file. Though presumably they would not be 
able to get internet access if they did that?
 
Darren
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Shane WillifordSent: Wednesday, February 13, 2008 8:20 AMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: GPO applicability when not connected 
to a network/domain
 
Darren,
In regards to the issue I have below, let me ask this – I have created a .reg 
file for my laptop users to run that will disable proxy settings while not on 
the network (e.g. for when they’re at home). The danger in doing this of course 
is the fact they may run it while at work, thus disabling the GPO proxy 
settings I have. My question is this: if from what I’ve read on your site and 
seen in numerous dialogs is correct, GPs don’t ‘refresh’ (i.e reapply) every so 
often, UNLESS they change…is that correct? So, if my laptop users were to do 
something ignorant like run this reg file I created while at work, their IE 
Proxy settings would remain disabled until they rebooted? (or does a simple 
log-off refresh policies?)
Thanks.
Shane
 




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-EliaSent: Tuesday, February 12, 2008 6:22 PMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: GPO applicability when not connected 
to a network/domain
 
Right. GP settings do stick. They are not unapplied when the machine is not on 
the domain, by design. So there is no way, using GP, to have them un-apply when 
the machine is not in contact with a DC.
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Shane WillifordSent: Tuesday, February 12, 2008 4:18 PMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: GPO applicability when not connected 
to a network/domain
 

Darren,

Thank you for the quick reply. OK, so let me see if I got this straight - 
you're saying that GP does NOT apply if a computer (in this case, a laptop) is 
not connected to a domain (and thus authenticating to a DC)? For me, that's is 
exactly what I want. But, what I gather is that the GP settings that applied 
while connected to the domain "stick"? (I think I read that somewhere in your 
FAQs...those are awesome, btw)

 

Yeah, I didn't want to have to script something, if possible. Our last proxy 
setup was done that way and I wanted to 'clean up' our log-in script, so I 
removed the proxy settings. I may have to go back to that, which isn't a 
horrible thing, but certainly not how I prefer as I'm not a scripting guru by 
any means.

 

Shane

 


-----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx on behalf of 
Darren Mar-Elia Sent: Tue 2/12/2008 5:41 PM To: gptalk@xxxxxxxxxxxxx Cc: 
Subject: [gptalk] Re: GPO applicability when not connected to a network/domain
Shane-
Thanks for joining the list. Unfortunately, I don’t have good news for you. 
Policy is not applied if a computer is not in contact with a DC. So, there is 
no way (other than Windows Firewall profiles) to have conditional policies in 
effect based on being on or off the network. Even mucking with the local GPO 
won’t work for domain joined PCs because if those PCs are not in contact with a 
DC, they simply ignore any changes you try to make to the local GPO (to 
preserve domain precedence).
 
Sorry about that. One thing you can probably do is write a script that enables 
and disables the proxy and put a shortcut to it on their desktop, with 
instructions to use it when they are at home. I’ve done that sort of thing in 
the past and, while not elegant, works.
Darren
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Shane WillifordSent: Tuesday, February 12, 2008 1:45 PMTo: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] GPO applicability when not connected to a 
network/domain
 
“GPO Guy”,
Thank you for the great website!...VERY informative!
 
I was wondering if you could lead me to the Microsoft documentation (and if you 
could answer) explaining if GPOs get applied to computers (laptops) not 
connected to a domain/network. I have set some IE settings for our 
organization, and have a group that use laptops and work remotely (from home) 
at times. I want them to be able to not have the proxy configurations while not 
connected to the network. Is there a way to configure GP to not apply when not 
connected to the network (other than creating a local policy setting for IE)?
Thanks for all your help!
 
Shane M. Williford
Systems Administrator
MCSE, MCSA Sec, Sec+, Net+, A+
Mazuma Credit Union
shane.williford@xxxxxxxxxx
816-361-4194 x6012
 

Notice: The information transmitted in this e-mail may contain confidential 
and/or legally privileged information intended only for the use of the 
individual(s) named above. Review, use, disclosure, distribution, or forwarding 
of this information by persons or entities other than the intended recipient(s) 
is prohibited by law and may subject them to criminal or civil liabilities. 
Statements and opinion expressed in this e-mail may not represent those of 
Mazuma Credit Union. All e-mail communications through Mazuma's corporate email 
system are subject to archiving and review by someone other than the recipient. 
If you have received this communication in error, please notify the sender 
immediately and delete/destroy any and all copies of the original message from 
any computer or network system. 

Other related posts: