Jeff- It's hard to say what is going on here. Group Policy uses whatever site information is cached on the workstation to determine which site-linked GPOs to process. In other words, the issue is that when this machine connects to the corp. network, it is not following the normal site affinity process to locate a DC to authenticate with. Given the random nature of what you're seeing, I suspect this means that the workstation's subnet is not being correctly associated with a site, and so its querying any available DC. I would check the registry under HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DynamicSiteName to see what site is being cached there after you VPN into the network. This could be a timing issue where the site information is not correctly populated on the workstation by the time GPO processing cycle kicks off. -----Original Message----- From: [EMAIL PROTECTED] on behalf of Jeff Salisbury Sent: Fri 5/28/2004 2:51 PM To: '[EMAIL PROTECTED]' Cc: Subject: [ActiveDir] Group Policy at the Site Level With Remote VPN Users - Wrong Site Applied
We have our logon scripts in GPOs tied to AD Sites in our Win2K domain, with
each site having its own GPO that calls a script tailored to the locally available
file shares. This has worked exceedingly well, until...
Based on some great input from another list reader we started testing a
feature in the Cisco VPN Client that forces a user to log off his/her system as soon
as the VPN is established. When the user logs back on to the machine then she/he is
authenticating with the domain. We want this functionality so that the cached copy of
the user's password is updated if he/she changed it recently, and so that the user's
logon script runs to map drives, check A-V signatures, etc.
When I tried this from my home network (192.168.2.0/24) I connected to our
corporate network in L.A. (Compton) and my notebook was assigned an IP address from
the L.A. facility's internal network (172.16.0.0/21), which is the IP subnet
associated with the Compton-Site in AD. After the logoff, I would have expected the
Compton-Site logon script to run and map my drives. Instead, Group Policy was applied
from a domain controller in Shanghai China (172.16.56.0/22) and my drives were mapped
by their logon script to their servers. My colleague had a similar experience, except
that he received policy from and was mapped to drives in the Singapore AD Site
(172.16.48.0/22).
I ran GPResult to see if I could figure out what was happening:
RSOP results for BELKIN\<my user name> on <my machine name> : Logging Mode
------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: BELKIN
Domain Type: Windows 2000
Site Name: compton-site <-- This is what I expected
Roaming Profile:
Local Profile: C:\Documents and Settings\<my user name>
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=<my machine name>,OU=Notebooks,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com
Last time Group Policy was applied: 5/27/2004 at 9:18:37 PM
Group Policy was applied from: shanghai.belkin.com <-- This DC is in
the Shanghai China Site!
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Shanghai Site Logon Scripts <- There are not logon scripts tied to
the computer
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
<SNIP>
USER SETTINGS
--------------
CN=<my user name>,OU=Information
Services,OU=Compton,OU=US,OU=NA,DC=belkin,DC=com
Last time Group Policy was applied: 5/27/2004 at 9:20:20 PM
Group Policy was applied from: shanghai.belkin.com <-- This DC is in
the Shanghai China Site!
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Default Domain Policy
Shanghai Site Logon Scripts <- Here is what mapped the drives to
Shanghai servers
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
<SNIP>
I looked through Jeremy Moskowitz's great book (Group Policy, Profiles, and
Intellimirror) and on his web site (www.gpanswers.com), but I can't find any reference
to this mystery. My understanding is that the notebook's IP address would determine
what Site's GP is applied. If the internal address assigned by VPN is used, then it
should apply the Compton-Site policy. It looks like it DID determine that I was in the
Compton site, but went off and pulled/applied GP from a different site. I have
verified that the sites in AD have the correct subnets assigned to them, with no
overlap.
Has anyone else seen this happen or see what I am missing? Thanks!
Jeff Salisbury
Network Infrastructure and Security Manager
Belkin Corporation
Information Services
310 604-2061
310 604-2022 fax
www.belkin.com
Confidential
This e-mail and any files transmitted with it are the property
of Belkin Corporation and/or its affiliates, are confidential,
and are intended solely for the use of the individual or
entity to whom this e-mail is addressed. If you are not one
of the named recipients or otherwise have reason to believe
that you have received this e-mail in error, please notify the
sender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
