[gptalk] Re: Authentication

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 22 Sep 2006 10:23:59 -0700

I think that in order for the group to really help you out- as I have
already read a few suggestions- we need to 1st understand what is causing
the extended logon delay. It could be GPO but it also could be a different
When the user hits the remote site and logs in- how long does it take- and
if you drop to the command prompt afterwards- type Set <enter> and see what
the value is for the logon server. Also do an IPconfig /all and get the IP
address given from the local DHCP server and check to see that this subnet
exists in AD sites and services and that it is associated with the correct
If everything looks good I would an interested in knowing if the slow logon
is for the user hitting the new site and only the 1st logon is slow and
after that all logons are much faster....
Also, someone mentioned DFS- DFS is a great solution for data that is read
only or data that will only be accessed by a single person. (in other words
the my docs folder redirection would be a great candidate.)
Windows Server 2003 R1 has some really cool features for DFS- I forgot the
exact terms but the features I really like are as follows: You can configure
a DFS share to only be accessed from the local site. This means that while
you can create a DFS share and replicate between sites- the user will always
and only connect to the DFS replica in their local site. This removes the
problem of a user crossing the WAN to get to their MY docs. Once you have
that configured you can configure the folder redirection path to use the
domain name path. I.e --> folder redirection to
\\domain.com\dfssharename\Mydocs\%username%. I would recommend that you
create a separate folder redirection policy and filter it based on a group
called mobileUsers- and only place the users who use multiple offices in
that group- which points to a separate myDocs DFS share- so this way you
don't have to replicate every user's myDocs if they never leave the home
office. Does that make sense?
You can also- but I really don't recommend it- move the GPO for folder
redirection and logon script to the original AD site the users are from-
this way only when they are in the local site the policy will be applied-but
putting a GPO at the site means that you create good filters or every user
and computer in that site will need to process the GPO in one form or


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Attardo, Joe
Sent: Friday, September 22, 2006 2:41 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Authentication

Good Morning, 

We have many people who travel to other offices as part of their jobs and
the logon experience when they get there is painfully slow. Is there a way
to set a policy so if a user authenticates to a domain controller away from
their "home office" that they will not receive any policies such as a logon
script or folder redirection.  Any suggestions would be appreciated. 




Other related posts: