GPUPDATE Options

**kcnychief** · October 17th, 2006

If there are remote users who may not be connected during the randomized 90 minute interval to update GPO, what is the best way to ensure it isn't "luck of the draw" that the Policies update during each session, or each time they connect?

Obviously I want something seamless, as forcing the clients to do a gpudate /force would be out of the question since the user would have to manually click a file once connected.

**fitz** · October 17th, 2006

why not run a gpupdate in the login script?

**kcnychief** · October 17th, 2006

Easy solution but won't apply.

The problem exists for remote users who 50% or more aren't actually connected to the network, and their login scripts can't run at boot because they aren't connected.

They use cached domain credentials to login to their machines first, as our vpn software doesn't run as a service.

**fitz** · October 18th, 2006

hmm.. well, this would be a TOTAL kludge, but you could create a schedule task (or an "at" command) to run gpupdate ever hour or so..

Haven't really thought too much about it, but i'm tired and cranky with a headache and this just popped into my head.

edit: what VPN client are you using? Also: are these machines domain members?

**kcnychief** · October 18th, 2006

Machines are domain members, VPN software varies between two different clients.

Scheduled task could be OK, but still no guarentee it will actually run when connected. I want to look at a way for it to run when the IP changes, as it does when VPN connection is established

**fitz** · October 20th, 2006

bah.. not easy to do.

In theory you could write a little program and install it as a service (srvany! gotta love it!) that polls the IP and/or connection status every 2 minutes/5 minutes/whatever minutes) and runs a gpupdate when it finds a link/change.

edit: i thought computers that were domain member were supposed to run their login scripts when they connect via VPN.. hmm.. gotta try to do research to remember how that all worked.

edit2: I don't suppose there is anything in the VPN Clients to tell it to execute a post-connection script?

**Mastershakes** · November 13th, 2006

This should help:

Technet

Check out the following parts of the article:

Application of Group Policy During a Remote Access Connection

When the logon is done with cached credentials, and then a remote access connection is established, Group Policy is not applied during logon. For example, if users connecting through a VPN connection are logging in via cached credentials, folder redirection settings will not be processed, because folder redirection policy can only be processed at user logon, not in the background refresh.

Near the top of the article they explain how you can change the interval in which the update is triggered. Perhaps adjust it - set it to 20 minutes.

**kcnychief** · November 13th, 2006

The policy interval won't really help in our situation, as sometimes people only stay connected to replicate mail up (Lotus Notes). I'm actually close on something with our Patch Management tool - LanDesk - to force this kind of thing on the client side each time the IP changes.

Thanks though

October 17th, 2006	Top \| #1
kcnychief █▄█ ▀█▄ █ Joined: April 2005 Location: Massachusetts Posts: 16,949 Reputation: 4941 Power: 305	GPUPDATE Options If there are remote users who may not be connected during the randomized 90 minute interval to update GPO, what is the best way to ensure it isn't "luck of the draw" that the Policies update during each session, or each time they connect? Obviously I want something seamless, as forcing the clients to do a gpudate /force would be out of the question since the user would have to manually click a file once connected. XBOX Live Gamertag: kcnychief

October 17th, 2006	Top \| #2
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Re: GPUPDATE Options why not run a gpupdate in the login script? Hee-hee! Evil makes my buttocks tingle.

October 17th, 2006	Top \| #3
kcnychief █▄█ ▀█▄ █ Joined: April 2005 Location: Massachusetts Posts: 16,949 Reputation: 4941 Power: 305	Re: GPUPDATE Options Easy solution but won't apply. The problem exists for remote users who 50% or more aren't actually connected to the network, and their login scripts can't run at boot because they aren't connected. They use cached domain credentials to login to their machines first, as our vpn software doesn't run as a service. XBOX Live Gamertag: kcnychief

October 18th, 2006	Top \| #4
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Re: GPUPDATE Options hmm.. well, this would be a TOTAL kludge, but you could create a schedule task (or an "at" command) to run gpupdate ever hour or so.. Haven't really thought too much about it, but i'm tired and cranky with a headache and this just popped into my head. edit: what VPN client are you using? Also: are these machines domain members? Hee-hee! Evil makes my buttocks tingle.

October 18th, 2006	Top \| #5
kcnychief █▄█ ▀█▄ █ Joined: April 2005 Location: Massachusetts Posts: 16,949 Reputation: 4941 Power: 305	Re: GPUPDATE Options Machines are domain members, VPN software varies between two different clients. Scheduled task could be OK, but still no guarentee it will actually run when connected. I want to look at a way for it to run when the IP changes, as it does when VPN connection is established XBOX Live Gamertag: kcnychief

Latest News Posts

Latest Forum Posts

Latest Member Blogs

October 20th, 2006	Top \| #6
fitz *XPista7eopardix Joined: April 2004 Location: Chicagoland Posts: 4,028 Reputation: 2947 Power: 168**	Re: GPUPDATE Options bah.. not easy to do. In theory you could write a little program and install it as a service (srvany! gotta love it!) that polls the IP and/or connection status every 2 minutes/5 minutes/whatever minutes) and runs a gpupdate when it finds a link/change. edit: i thought computers that were domain member were supposed to run their login scripts when they connect via VPN.. hmm.. gotta try to do research to remember how that all worked. edit2: I don't suppose there is anything in the VPN Clients to tell it to execute a post-connection script? Hee-hee! Evil makes my buttocks tingle.

November 13th, 2006	Top \| #7
Mastershakes OSNN Veteran Addict Joined: July 2004 Location: Montreal Posts: 1,721 Reputation: 1040 Power: 124	Re: GPUPDATE Options This should help: Technet Check out the following parts of the article: Application of Group Policy During a Remote Access Connection When the logon is done with cached credentials, and then a remote access connection is established, Group Policy is not applied during logon. For example, if users connecting through a VPN connection are logging in via cached credentials, folder redirection settings will not be processed, because folder redirection policy can only be processed at user logon, not in the background refresh. Near the top of the article they explain how you can change the interval in which the update is triggered. Perhaps adjust it - set it to 20 minutes. So many idiots - so little time

November 13th, 2006	Top \| #8
kcnychief █▄█ ▀█▄ █ Joined: April 2005 Location: Massachusetts Posts: 16,949 Reputation: 4941 Power: 305	Re: GPUPDATE Options The policy interval won't really help in our situation, as sometimes people only stay connected to replicate mail up (Lotus Notes). I'm actually close on something with our Patch Management tool - LanDesk - to force this kind of thing on the client side each time the IP changes. Thanks though XBOX Live Gamertag: kcnychief

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
RSS Options	kcnychief	Green Room	54	August 9th, 2006 8:23am
Boot options	mikesmartt	Windows Desktop Systems	2	January 1st, 2003 11:51pm
Dial Up Options	spencera1	Windows Desktop Systems	4	October 13th, 2002 1:56pm
Folder options?	dreamliner77	Windows Desktop Systems	5	June 1st, 2002 5:02am
Folder Options	Curt	Windows Desktop Systems	1	April 21st, 2002 5:51am