Problems with Group Policies over VPN?

[T Goddard]

Hi Everyone

I recently configured a number of XP Pro computers at our central office to
run as part of our domain. The domain controller is running 2000 Server
with Active Directory, DHCP and DNS.

Everything worked fine until I moved the computers to various branch offices
where network access is via VPN connections. Users can log on to the
network, access resources, etc, that part of things is fine.

My problem is with the group policies I set up. Whatever changes I make to
group policies on the server it seems to have no impact whatsoever when
users log on to the computers at the branch offices. This is really
annoying as, amongst other things, I need to slacken off the security so
that users can add a new printer. When I first configured the group
policies the machines were on the local network segment and worked fine.

Can anyone suggest what I'm doing wrong? As far as I can see the only
differences are...

- network access is over a slow VPN link rather than a 100Mbps LAN
- the computers receive IP addresses from the DHCP server on each remote
router rather than from the central DHCP server (which means they aren't
automatically registered with the DNS server for Active Directory?)

Apart from that I can't see any other differences. The server and client
computers are all unaware of the VPN links as these are handled entirely by
the routers and are transparent to any of the operating systems.

Any suggestions?? I'd really appreciate your help on this as it's slowly
driving me crazy and the thought of bringing the computers 'back to base'
each time I need to change group policies is a bad prospect

Tim.

 

[Steven L Umbach]

Hi Tim. I have not dealt with a situation like that but here is my two cents. If the
vpn clients are not logging into the domain via vpn [local account instead], then the
user policies will not be applied. The problem may be that they are not using the
Active Directory dns server when logged on via vpn. You can use ipconfig /all to view
their configuration for the vpn connection and possibly try running netdiag after
connected to the vpn server. Another thing to consider is the effect of "slow link
detection" which has a default setting even if not configured in Group Policy, that
can cause certain Group Policy configurations to not be applied over a slow link. You
might also want to use gpresult to help determine when the last time a policy was
applied. See KB links for more info. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;227260
http://support.microsoft.com/default.aspx?scid=kb;en-us;321709

 

[T Goddard]

Hi Steve

Thanks for the information on netstat and gpresult. I won't be able to try
out your suggestions until Monday but I'll let you know how I go on.

AFAIK the users are logging on to the domain properly (the domain is
selected in the "logon to" box and access to resources on the server is
being properly governed by permissions). One thing I haven't done is set
the default "slow link detection" (stupid of me) although it is set to see
all connections as fast in the specific group policy. :-/

Will report back on Monday, thanks again...

Tim.

--
My real e-mail address is ngroup1 before the at followed by
timgoddard.co.uk.

Hi Tim. I have not dealt with a situation like that but here is my two cents. If the
vpn clients are not logging into the domain via vpn [local account instead], then the
user policies will not be applied. The problem may be that they are not using the
Active Directory dns server when logged on via vpn. You can use ipconfig /all to view
their configuration for the vpn connection and possibly try running netdiag after
connected to the vpn server. Another thing to consider is the effect of "slow link
detection" which has a default setting even if not configured in Group Policy, that
can cause certain Group Policy configurations to not be applied over a slow link. You
might also want to use gpresult to help determine when the last time a policy was
applied. See KB links for more info. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;227260
http://support.microsoft.com/default.aspx?scid=kb;en-us;321709

Hi Everyone

I recently configured a number of XP Pro computers at our central office to
run as part of our domain. The domain controller is running 2000 Server
with Active Directory, DHCP and DNS.

Everything worked fine until I moved the computers to various branch offices
where network access is via VPN connections. Users can log on to the
network, access resources, etc, that part of things is fine.

My problem is with the group policies I set up. Whatever changes I make to
group policies on the server it seems to have no impact whatsoever when
users log on to the computers at the branch offices. This is really
annoying as, amongst other things, I need to slacken off the security so
that users can add a new printer. When I first configured the group
policies the machines were on the local network segment and worked fine.

Can anyone suggest what I'm doing wrong? As far as I can see the only
differences are...

- network access is over a slow VPN link rather than a 100Mbps LAN
- the computers receive IP addresses from the DHCP server on each remote
router rather than from the central DHCP server (which means they aren't
automatically registered with the DNS server for Active Directory?)

Apart from that I can't see any other differences. The server and client
computers are all unaware of the VPN links as these are handled entirely by
the routers and are transparent to any of the operating systems.

Any suggestions?? I'd really appreciate your help on this as it's slowly
driving me crazy and the thought of bringing the computers 'back to base'
each time I need to change group policies is a bad prospect

Tim.