[gptalk] Re: Remote Policy

  • From: "Nelson, Jamie R Contr 72 CS/SCBAF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 19 Sep 2007 15:32:08 -0500

Once again, Darren is right (don't doubt the expert...lol). Here is a
good explanation on GP processing with cached credentials:

http://technet2.microsoft.com/windowsserver/en/library/0bead5a1-afba-4c5
8-984b-11881be5348e1033.mspx?mfr=true

In this case Doug, I would just let background refresh do its thing.
Just keep in mind that certain CSEs only process at Startup/Logon, so
they would not be available in this scenario.

If you need policy to update right away, you might look at a post-VPN
logon script possibly executing the gupdate command or setting a
scheduled task like Darren suggested.

Regards,
Jamie


-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, September 19, 2007 7:15 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Remote Policy

Only if the VPN connection is up when the background refresh cycle kicks
off. All GP cares about is that it can connect and authenticate to a DC
and if so, then life is good and background processing will succeed. Of
course, you need to able to pass ICMP over that VPN connection or
disable slow link detection, but otherwise, it should work. 

Darren

-----Original message-----
From: "Nelson, Jamie R Contr 72 CS/SCBAF" Jamie.Nelson.ctr@xxxxxxxxxxxxx
Date: Wed, 19 Sep 2007 16:09:55 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Remote Policy

> Darren,
> 
> Please correct me if I'm wrong, but if logging on with a cached
> credential, will new/changed computer policies still get applied
> correctly during background refresh? I didn't think that was the case,
> but I've been wrong before... :)
> 
> Regards,
> Jamie
> 
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Wednesday, September 19, 2007 7:02 PM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Remote Policy
> 
> The other point here, that I missed, is that computers will get
firewall
> policy updates in the background during those refresh intervals. If
you
> need that to be more reliable (i.e. refreshes to happen at a certain
> time) you could already distribute gpupdate scheduled tasks to all
those
> systems or use a tool like my rgprefresh or SpecOps GPUpdate
> 
> Darren
> 
> 
> -----Original message-----
> From: "Delaney, Doug" doug.delaney@xxxxxxx
> Date: Wed, 19 Sep 2007 15:58:13 -0400
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Remote Policy
> 
> > Darren,
> > 
> > Understood, thank you. 
> > 
> > 
> > Doug Delaney
> > EDS - Integration Engineering-GM
> > GM Desktop Engineering
> > 1075 W. Entrance Dr., MS 2B, Cube 2130
> > Auburn Hills, MI 48326
> > Lab: 248-365-9187
> > Tel: 248-754-7917
> > Pg: 248-870-0306 pager
> > Mail: Doug.Delaney@xxxxxxx 
> > Note: The information in this email is intended solely for the
> > addressee. Access to this email by anyone else is unauthorized. If
you
> > are not the intended recipient, any disclosure, copying,
distribution
> or
> > any action taken or omitted to be taken in reliance on it is
> prohibited.
> > 
> > 
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Darren Mar-Elia
> > Sent: Wednesday, September 19, 2007 7:51 PM
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Re: Remote Policy
> > 
> > Doug, et al-
> > I will add that the other solution here that is a commercial one. My
> > company--SDM Software, has something called the GPExpert Scripting
> > Toolkit for PowerShell (www.sdmsoftware.com/products2.php).
> Essentially
> > what it is is a scripting interface into GP Settings, and it can
> effect
> > both domain and local GPOs and can be run remotely or on the local
> box.
> > 
> > That being said, you can distribute reg. files but keep in mind
that,
> > for reasons I won't go into now, if you don't use GP admin. template
> > policy to actually distribute the changes, then GP doesn't know that
> > they are there, and they would essentially be tattooing the
registry,
> > even though they are on policy keys. THis has to do with the way GP
> > handles the removal of policies in the first place.
> > 
> > Darren
> > 
> > 
> > -----Original message-----
> > From: "Nelson, Jamie R Contr 72 CS/SCBAF"
> Jamie.Nelson.ctr@xxxxxxxxxxxxx
> > Date: Wed, 19 Sep 2007 15:40:35 -0400
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Re: Remote Policy
> > 
> > > FYI. You can technically do this for any admin template
configurable
> 
> > > settings, as they are just registry entries. However, involving
the 
> > > end user in this process kind of defeats the entire purpose of
Group
> > Policy.
> > > Some other means of distributing (SMS, PsExec) would make much
more 
> > > sense.
> > > 
> > > Regards,
> > > Jamie Nelson
> > > 
> > > 
> > > -----Original Message-----
> > > From: gptalk-bounce@xxxxxxxxxxxxx
> [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
> > > Sent: Wednesday, September 19, 2007 2:31 PM
> > > To: gptalk@xxxxxxxxxxxxx
> > > Subject: [gptalk] Re: Remote Policy
> > > 
> > > In that case there is not much you can do via Group Policy itself.
> If 
> > > the firewall settings are the only thing you "really" need, just 
> > > export the HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
registry
> 
> > > key from a LAN workstation that is receiving the policy and
> distribute
> > 
> > > it via other means (e-mail, file share) to your remote users in
the 
> > > form of a .reg file. This would only work, though, if they have
the 
> > > local admin rights required to change that area of the registry.
> > > 
> > > It's not really the proper way to do things, but it should work.
> > > 
> > > Regards,
> > > Jamie
> > > 
> > > 
> > > -----Original Message-----
> > > From: gptalk-bounce@xxxxxxxxxxxxx
> [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Delaney, Doug
> > > Sent: Wednesday, September 19, 2007 2:19 PM
> > > To: gptalk@xxxxxxxxxxxxx
> > > Subject: [gptalk] Re: Remote Policy
> > > 
> > > Understood, but General Motors will not allow replacement of the
> > msgina.
> > > Therefore, the VPN solution cannot change that approach
> > >  
> > > 
> > > Doug Delaney
> > > EDS - Integration Engineering-GM
> > > GM Desktop Engineering
> > > 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326
> > > Lab: 248-365-9187
> > > Tel: 248-754-7917
> > > Pg: 248-870-0306 pager
> > > Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>
> > > Note: The information in this email is intended solely for the 
> > > addressee. Access to this email by anyone else is unauthorized. If
> you
> > 
> > > are not the intended recipient, any disclosure, copying,
> distribution 
> > > or any action taken or omitted to be taken in reliance on it is
> > prohibited.
> > > 
> > >  
> > > 
> > > 
> > > ________________________________
> > > 
> > >   From: gptalk-bounce@xxxxxxxxxxxxx
> > > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Odiorne, Derek
> > >   Sent: Wednesday, September 19, 2007 3:13 PM
> > >   To: gptalk@xxxxxxxxxxxxx
> > >   Subject: [gptalk] Re: Remote Policy
> > >   
> > >   
> > > 
> > >   Cisco, for example, has an option to start the vpn before logon.
> > > By doing it this way the users will run Group Policy Object's when

> > > logging on.
> > > 
> > >    
> > > 
> > >   ----------------------------
> > > 
> > >   Derek A. Odiorne
> > > 
> > >   574-245-1487
> > >   -----------------------------
> > >   Need help now?
> > >   http://intranet/techserv/technologyserv.htm
> > > <http://intranet/techserv/technologyserv.htm>
> > > 
> > >   
> > > ________________________________
> > > 
> > > 
> > >   From: gptalk-bounce@xxxxxxxxxxxxx
> > > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Delaney, Doug
> > >   Sent: Wednesday, September 19, 2007 3:07 PM
> > >   To: gptalk@xxxxxxxxxxxxx
> > >   Subject: [gptalk] Remote Policy
> > > 
> > >    
> > > 
> > >   Hi all,
> > > 
> > >   Is anyone aware of any free tools available for the remote 
> > > distribution of a GPO policy?
> > > 
> > >   Here is our situation.  We have a couple thousand users who
> > connect 
> > > via VPN only.  They connect after boot-up and cached credential
> logon 
> > > to windows.  Therefore, policies never apply during startup or
> logon.
> > 
> > > We have a need to administer the XP firewall (among other things),
> and
> > 
> > > are having a very difficult time finding a solution.  Many of
these 
> > > users are 8 hours away from a building where they can connect via
a 
> > > local LAN to get policies.
> > > 
> > >   Any guidance is greatly appreciated. 
> > > 
> > >   Doug Delaney
> > >   EDS - Integration Engineering-GM
> > >   GM Desktop Engineering
> > >   1075 W. Entrance Dr., MS 2B, Cube 2130
> > >   Auburn Hills, MI 48326
> > >   Lab: 248-365-9187
> > >   Tel: 248-754-7917
> > >   Pg: 248-870-0306 pager
> > >   Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  
> > >   Note: The information in this email is intended solely for the 
> > > addressee. Access to this email by anyone else is unauthorized. If
> you
> > 
> > > are not the intended recipient, any disclosure, copying,
> distribution 
> > > or any action taken or omitted to be taken in reliance on it is
> > prohibited.
> > > 
> > >    
> > > 
> > > ***********************
> > > You can unsubscribe from gptalk by sending email to 
> > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject
field
> 
> > > OR by logging into the freelists.org Web interface. Archives for
the
> 
> > > list are available at http://www.freelists.org/archives/gptalk/
> > > ************************
> > > ***********************
> > > You can unsubscribe from gptalk by sending email to 
> > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject
field
> 
> > > OR by logging into the freelists.org Web interface. Archives for
the
> 
> > > list are available at http://www.freelists.org/archives/gptalk/
> > > ************************
> > 
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
> OR
> > by logging into the freelists.org Web interface. Archives for the
list
> > are available at http://www.freelists.org/archives/gptalk/
> > ************************
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR
> by logging into the freelists.org Web interface. Archives for the list
> are available at http://www.freelists.org/archives/gptalk/
> 
> > ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR
> by logging into the freelists.org Web interface. Archives for the list
> are available at http://www.freelists.org/archives/gptalk/
> ************************
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/

> ************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: