GPO Hurdle

[djtech2k]

Hey guys. I have somewhat of a hurdle that I am in need or a solution for, but I am not aware of any that will do exactly what I need.

I use GPO's as everyone else does. My issue is that I have many remote users that come in over a Cisco VPN client from anywhere or from a Cisco client thru a Cisco vpn concentrator. My issue is that some of them logon to windows first, via local account or cached credentials, and then the logon to the vpn which puts them in my intranet.

I have many policies that do not apply, of course all of those that run logon scripts or anything that happens during boot. Do any of you know of any way to enforce my GPO settings with those typw of VPN users. I have thought about running some vbscripts during netlogon but not every person has local admin rights so they may or may not be able to do things like regedits. Most have local admin, but some do not.

Any ideas?

 

[markdmac]

I don't believe it is possible. The VPN users are attaching to your domain but not logging into it like they would if they were in the office.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[djtech2k]

Ok, what if you drop the local logons out of the equation? What if they always logon to the domain, some before the vpn launches and some after it launches?

 

[markdmac]

The problem is that login scripts process from the DC at logon. If they log on with cached credentials they don't get run.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[djtech2k]

Thats what I thought too, but I am trying to find any other way to get around this problem.

 

[markdmac]

You could give your users an HTA or VBS file to run after they login via VPN.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[mikehiland]

There is a setting (or at least there used to be) that would allow the VPN Client to connect to the VPN before logging on to the computer. I have used it and it works.

However, when the user boots the computer and presses Ctrl+Alt+Del, they are prompted for VPN credentials. This can get annoying - especially when they are offline. You know the net result of this - more help desk calls.

So, while this will do what you ask there is a potential cost.

Other solutions are for remote users who have a home network, provide them with a low-cost VPN router (Linksys offered one) that can create an always on LAN-to-LAN VPN for them. Obviously this does not help for traveling users, but for home office people it will also accomplish what you want.

The solution that we started moving to was Citrix over SSL. This eliminated the VPN Client issue and gave us more control while giving users access to apps and data.

These are a couple of things that I have done. Perhaps they work for you in some capacity. Good luck - it is not a fun problem to resolve.