Discussion:
Group Policy Update over VPN?
(too old to reply)
Chris White
2008-02-18 18:42:00 UTC
Permalink
Hi All,

Still trying to solve a problem.

50% of my workstations are remote Engineers who connect to the network via
VPN most of the time. Some never come into the office and connect locally
since they live and work far from our HQ.

How can I ensure they get to update the Group Policies. At the moment all I
can ask is that they run gpupdate manually but thats a bit pathetic from a
company thats growing as fast as we are right now.

I have two new great big books to help me with GP, but need help on this
question.

How can I effectivly update my remote access workstations? All the engineers
have an ADSL connection and update work files and images regulary over the
internet as well as download their mail via Outlook cached mode.

Reference: I have SBS2003 Release 1 as the PDC in my network.
--
Chris White
United Kingdom
Adam
2008-02-18 23:21:07 UTC
Permalink
Post by Chris White
Hi All,
Still trying to solve a problem.
50% of my workstations are remote Engineers who connect to the network via
VPN most of the time. Some never come into the office and connect locally
since they live and work far from our HQ.
How can I ensure they get to update the Group Policies. At the moment all I
can ask is that they run gpupdate manually but thats a bit pathetic from a
company thats growing as fast as we are right now.
Schedule a task via a GPO? :-)

I believe you need to select "Logon with Dial-Up Networking" to get GPOs
applied to VPN users.
Florian Frommherz [MVP]
2008-02-19 05:17:23 UTC
Permalink
Howdie!
Post by Chris White
How can I ensure they get to update the Group Policies. At the moment all I
can ask is that they run gpupdate manually but thats a bit pathetic from a
company thats growing as fast as we are right now.
When they're connected via VPN and they can DNS and AD works healthy for
them, they should pick up Group Policy on a regular basis. Depending how
they're logging in to your network, they get only background refreshes
or the both fore- and background refreshes (Network-Dial-In option set).

What exactly are you experiencing? From your post it seems like your
outside-workers wouldn't get any Group Policy applied. Is there a
current issue with your people out there or is it just that you wanted
to get an advice on how to do this the best way?

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Chris White
2008-02-19 12:25:03 UTC
Permalink
Thanks for the replies both!

I am already experiencing problems with this, and this is what made me
curious about how to achieve this properly.

I typically find out when a user comes back into the office, that I open up
the laptop and realise that some functions i blocked are still active on this
laptop. I then do a manual GP update when they are in the office to ensure
that they get the latest GP's.

The way the users connect typically is that they are already logged into
their laptops.

They open them up at home, dial the VPN connection from Network Connections
then drop their files onto their network shares for sorting and send/receive
any e-mails using Outlook 2003 (Cached Mode).

Not sure how they should connect for best effect, but VPN clients can use
our servers without any problems and do such things as browse the DFS shares
we have, ping a computer in the office, or print into the office etc. So to
me that says everything is forwarding to the SBS2003 server over VPN without
any problems.
--
Chris White
United Kingdom
Post by Florian Frommherz [MVP]
Howdie!
Post by Chris White
How can I ensure they get to update the Group Policies. At the moment all I
can ask is that they run gpupdate manually but thats a bit pathetic from a
company thats growing as fast as we are right now.
When they're connected via VPN and they can DNS and AD works healthy for
them, they should pick up Group Policy on a regular basis. Depending how
they're logging in to your network, they get only background refreshes
or the both fore- and background refreshes (Network-Dial-In option set).
What exactly are you experiencing? From your post it seems like your
outside-workers wouldn't get any Group Policy applied. Is there a
current issue with your people out there or is it just that you wanted
to get an advice on how to do this the best way?
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Darren Mar-Elia
2008-02-19 16:39:12 UTC
Permalink
Chris-
Right, as Florian implied, your users should be getting background refreshes
of policy settings whenever they connect to the VPN (unless your VPN blocks
ICMP--true in some cases I've seen. In that case, then GP processing will
fail unless you disable slow link detection). However, they will never get
foreground policy. This is the policy that gets applied when a machine is
rebooted or a user logs on. Some policy areas, like Folder Redirection,
scripts and Software Installation, only run during a foreground event. So,
what's not clear to me is the type of settings your users are not getting.
If its Admin. Template settings, then they should get those in the
background when they dial into the VPN, assuming they are on long enough.
Keep in mind that, unless you are running Vista, normal background refresh
occurs every 90 min. plus up to a 30 minute random value. That means that
unless your users are on the VPN for on average, 120 min., they may miss the
background refresh interval. One thing you could do is reduce this interval
for these machines (using the Policy under Computer Configuration\Admin.
Templates\System\Group Policy) to see if that helps.

Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

Manage Group Policy Backup and Recovery with the GPExpert Backup Manager for
GP!
Find out more at http://www.sdmsoftware.com/products.php

Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
Post by Chris White
Thanks for the replies both!
I am already experiencing problems with this, and this is what made me
curious about how to achieve this properly.
I typically find out when a user comes back into the office, that I open up
the laptop and realise that some functions i blocked are still active on this
laptop. I then do a manual GP update when they are in the office to ensure
that they get the latest GP's.
The way the users connect typically is that they are already logged into
their laptops.
They open them up at home, dial the VPN connection from Network Connections
then drop their files onto their network shares for sorting and send/receive
any e-mails using Outlook 2003 (Cached Mode).
Not sure how they should connect for best effect, but VPN clients can use
our servers without any problems and do such things as browse the DFS shares
we have, ping a computer in the office, or print into the office etc. So to
me that says everything is forwarding to the SBS2003 server over VPN without
any problems.
--
Chris White
United Kingdom
Post by Florian Frommherz [MVP]
Howdie!
Post by Chris White
How can I ensure they get to update the Group Policies. At the moment all I
can ask is that they run gpupdate manually but thats a bit pathetic from a
company thats growing as fast as we are right now.
When they're connected via VPN and they can DNS and AD works healthy for
them, they should pick up Group Policy on a regular basis. Depending how
they're logging in to your network, they get only background refreshes
or the both fore- and background refreshes (Network-Dial-In option set).
What exactly are you experiencing? From your post it seems like your
outside-workers wouldn't get any Group Policy applied. Is there a
current issue with your people out there or is it just that you wanted
to get an advice on how to do this the best way?
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Anthony [MVP]
2008-02-19 22:13:37 UTC
Permalink
Chris,
If you really want to control them, then a VPN router at their place will
connect them as if on the LAN (except for slow link processing).
For user policies, a VPN client that connects before logon will do that.
Otherwise terminal services will provide them with your applications and
data and you can avoid having to configure the PC.
Anthony
http://www.airdesk.co.uk
Post by Chris White
Hi All,
Still trying to solve a problem.
50% of my workstations are remote Engineers who connect to the network via
VPN most of the time. Some never come into the office and connect locally
since they live and work far from our HQ.
How can I ensure they get to update the Group Policies. At the moment all I
can ask is that they run gpupdate manually but thats a bit pathetic from a
company thats growing as fast as we are right now.
I have two new great big books to help me with GP, but need help on this
question.
How can I effectivly update my remote access workstations? All the engineers
have an ADSL connection and update work files and images regulary over the
internet as well as download their mail via Outlook cached mode.
Reference: I have SBS2003 Release 1 as the PDC in my network.
--
Chris White
United Kingdom
Chris White
2008-02-21 10:41:00 UTC
Permalink
Hi All,

Thanks for the great replies. It gives me the answers I need.

The problem I can see is, that the user's are not on long enough for the
refresh interval to occur.

What I will do is, as suggested, slim down the interval time for these users
so they can pick up the necessary policies.

The policies are as you thought, just general Administrative templates,
things like controlling whats visable in Control Panel, locking out of
Add/Remove Programs and customizing Internet Explorer etc.

Cheers for the help, you've all made it very clear!
--
Chris White
United Kingdom
Post by Anthony [MVP]
Chris,
If you really want to control them, then a VPN router at their place will
connect them as if on the LAN (except for slow link processing).
For user policies, a VPN client that connects before logon will do that.
Otherwise terminal services will provide them with your applications and
data and you can avoid having to configure the PC.
Anthony
http://www.airdesk.co.uk
Post by Chris White
Hi All,
Still trying to solve a problem.
50% of my workstations are remote Engineers who connect to the network via
VPN most of the time. Some never come into the office and connect locally
since they live and work far from our HQ.
How can I ensure they get to update the Group Policies. At the moment all I
can ask is that they run gpupdate manually but thats a bit pathetic from a
company thats growing as fast as we are right now.
I have two new great big books to help me with GP, but need help on this
question.
How can I effectivly update my remote access workstations? All the engineers
have an ADSL connection and update work files and images regulary over the
internet as well as download their mail via Outlook cached mode.
Reference: I have SBS2003 Release 1 as the PDC in my network.
--
Chris White
United Kingdom
Loading...