GPUPDATE Options

[kcnychief]

If there are remote users who may not be connected during the randomized 90 minute interval to update GPO, what is the best way to ensure it isn't "luck of the draw" that the Policies update during each session, or each time they connect?

Obviously I want something seamless, as forcing the clients to do a gpudate /force would be out of the question since the user would have to manually click a file once connected.

 

[fitz]

why not run a gpupdate in the login script?

 

[kcnychief]

Easy solution but won't apply.

The problem exists for remote users who 50% or more aren't actually connected to the network, and their login scripts can't run at boot because they aren't connected.

They use cached domain credentials to login to their machines first, as our vpn software doesn't run as a service.

 

[fitz]

hmm.. well, this would be a TOTAL kludge, but you could create a schedule task (or an "at" command) to run gpupdate ever hour or so..

Haven't really thought too much about it, but i'm tired and cranky with a headache and this just popped into my head.

edit: what VPN client are you using? Also: are these machines domain members?

 

[kcnychief]

Machines are domain members, VPN software varies between two different clients.

Scheduled task could be OK, but still no guarentee it will actually run when connected. I want to look at a way for it to run when the IP changes, as it does when VPN connection is established

 

[fitz]

bah.. not easy to do.

In theory you could write a little program and install it as a service (srvany! gotta love it!) that polls the IP and/or connection status every 2 minutes/5 minutes/whatever minutes) and runs a gpupdate when it finds a link/change.

edit: i thought computers that were domain member were supposed to run their login scripts when they connect via VPN.. hmm.. gotta try to do research to remember how that all worked.

edit2: I don't suppose there is anything in the VPN Clients to tell it to execute a post-connection script?

 

[Mastershakes]

This should help:

Technet

Check out the following parts of the article:

Application of Group Policy During a Remote Access Connection

When the logon is done with cached credentials, and then a remote access connection is established, Group Policy is not applied during logon. For example, if users connecting through a VPN connection are logging in via cached credentials, folder redirection settings will not be processed, because folder redirection policy can only be processed at user logon, not in the background refresh.

Near the top of the article they explain how you can change the interval in which the update is triggered. Perhaps adjust it - set it to 20 minutes.

 

[kcnychief]

The policy interval won't really help in our situation, as sometimes people only stay connected to replicate mail up (Lotus Notes). I'm actually close on something with our Patch Management tool - LanDesk - to force this kind of thing on the client side each time the IP changes.

Thanks though