We have our logon scripts in GPOs tied to AD Sites in our Win2K domain, with each site
having its own GPO that calls a script tailored to the locally available file shares.
This has worked exceedingly well, until...
Based on some great input from another list reader we started testing a feature in the
Cisco VPN Client that forces a user to log off his/her system as soon as the VPN is
established. When the user logs back on to the machine then she/he is authenticating
with the domain. We want this functionality so that the cached copy of the user's
password is updated if he/she changed it recently, and so that the user's logon script
runs to map drives, check A-V signatures, etc.
When I tried this from my home network (192.168.2.0/24) I connected to our corporate
network in L.A. (Compton) and my notebook was assigned an IP address from the L.A.
facility's internal network (172.16.0.0/21), which is the IP subnet associated with
the Compton-Site in AD. After the logoff, I would have expected the Compton-Site logon
script to run and map my drives. Instead, Group Policy was applied from a domain
controller in Shanghai China (172.16.56.0/22) and my drives were mapped by their logon
script to their servers. My colleague had a similar experience, except that he
received policy from and was mapped to drives in the Singapore AD Site
(172.16.48.0/22).
I ran GPResult to see if I could figure out what was happening:
RSOP results for BELKIN\<my user name> on <my machine name> : Logging Mode
------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: BELKIN
Domain Type: Windows 2000
Site Name: compton-site <-- This is what I expected
Roaming Profile:
Local Profile: C:\Documents and Settings\<my user name>
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=<my machine name>,OU=Notebooks,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com
Last time Group Policy was applied: 5/27/2004 at 9:18:37 PM
Group Policy was applied from: shanghai.belkin.com <-- This DC is in the
Shanghai China Site!
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Shanghai Site Logon Scripts <- There are not logon scripts tied to the
computer
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
<SNIP>
USER SETTINGS
--------------
CN=<my user name>,OU=Information Services,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com
Last time Group Policy was applied: 5/27/2004 at 9:20:20 PM
Group Policy was applied from: shanghai.belkin.com <-- This DC is in the
Shanghai China Site!
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Default Domain Policy
Shanghai Site Logon Scripts <- Here is what mapped the drives to Shanghai
servers
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
<SNIP>
I looked through Jeremy Moskowitz's great book (Group Policy, Profiles, and
Intellimirror) and on his web site (www.gpanswers.com), but I can't find any reference
to this mystery. My understanding is that the notebook's IP address would determine
what Site's GP is applied. If the internal address assigned by VPN is used, then it
should apply the Compton-Site policy. It looks like it DID determine that I was in the
Compton site, but went off and pulled/applied GP from a different site. I have
verified that the sites in AD have the correct subnets assigned to them, with no
overlap.
Has anyone else seen this happen or see what I am missing? Thanks!
Jeff Salisbury
Network Infrastructure and Security Manager
Belkin Corporation
Information Services
310 604-2061
310 604-2022 fax
www.belkin.com
Confidential
This e-mail and any files transmitted with it are the property
of Belkin Corporation and/or its affiliates, are confidential,
and are intended solely for the use of the individual or
entity to whom this e-mail is addressed. If you are not one
of the named recipients or otherwise have reason to believe
that you have received this e-mail in error, please notify the
sender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
