GPUPDATE Options

Discussion in 'Windows Server Systems' started by kcnychief, Oct 17, 2006.

  1. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    If there are remote users who may not be connected during the randomized 90 minute interval to update GPO, what is the best way to ensure it isn't "luck of the draw" that the Policies update during each session, or each time they connect?

    Obviously I want something seamless, as forcing the clients to do a gpudate /force would be out of the question since the user would have to manually click a file once connected.
     
    Last edited: Oct 17, 2006
  2. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    why not run a gpupdate in the login script?
     
  3. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Easy solution but won't apply.

    The problem exists for remote users who 50% or more aren't actually connected to the network, and their login scripts can't run at boot because they aren't connected.

    They use cached domain credentials to login to their machines first, as our vpn software doesn't run as a service.
     
    Last edited: Oct 17, 2006
  4. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    hmm.. well, this would be a TOTAL kludge, but you could create a schedule task (or an "at" command) to run gpupdate ever hour or so..

    Haven't really thought too much about it, but i'm tired and cranky with a headache and this just popped into my head.

    edit: what VPN client are you using? Also: are these machines domain members?
     
  5. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Machines are domain members, VPN software varies between two different clients.

    Scheduled task could be OK, but still no guarentee it will actually run when connected. I want to look at a way for it to run when the IP changes, as it does when VPN connection is established
     
  6. fitz

    fitz Just Floating Along Staff Member Political User Folding Team

    Messages:
    4,076
    Location:
    Chicagoland
    bah.. not easy to do.

    In theory you could write a little program and install it as a service (srvany! gotta love it!) that polls the IP and/or connection status every 2 minutes/5 minutes/whatever minutes) and runs a gpupdate when it finds a link/change.

    edit: i thought computers that were domain member were supposed to run their login scripts when they connect via VPN.. hmm.. gotta try to do research to remember how that all worked.

    edit2: I don't suppose there is anything in the VPN Clients to tell it to execute a post-connection script?
     
  7. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    This should help:

    Technet

    Check out the following parts of the article:

    Application of Group Policy During a Remote Access Connection

    Near the top of the article they explain how you can change the interval in which the update is triggered. Perhaps adjust it - set it to 20 minutes.
     
  8. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    The policy interval won't really help in our situation, as sometimes people only stay connected to replicate mail up (Lotus Notes). I'm actually close on something with our Patch Management tool - LanDesk - to force this kind of thing on the client side each time the IP changes.

    Thanks though ;)