none
Group Policy For Wireless Clients Not Working As Desired

    Question

  • Hello All,

    (Windows Server 2012 R2 Domain, Windows2008 Radius, Windows7 Wireless Clients)

    (Goal)

    - We want to have the ability to create a domain password policy so that our wireless client computers will get prompted to change their passwords when prompted (right now our default domain policy is not setup yet to force password changes) at login but we ran into some issues when testing password changes.

    - Our wireless clients connect through a Microsoft Radius NPS server. We also have a NAC device that acts as a proxy so that computers can register their laptops - the NAC then hands the connection back to the Radius after the registration is complete.  If a password is changed then there appears to be an issue authenticating unless we go hardwire, change the password and then connect back to wireless after the password gets cached. For us to get around an issue with wireless clients having authentication issues when the password is changed we needed to create an OU and used the settings from this link as a guideline:  https://msdn.microsoft.com/en-us/library/dd759176.aspx

    - So we created the OU and enabled and linked the OU and here is a summary of what is going on:

    (Testing Password Change/Rebooting Laptop)

    - If we set the account in AD to prompt user to "change the password at  next login" after a reboot we do not see the "wireless OU" splashed at the login screen. When logging in the previous password is cached and the user is not prompted to change the password.

    (Logging Off and Logging On)

    - However if we logoff (after the logging on at reboot) we then do see the Wireless OU and then we do get prompted to enter the old password and enter a new password.  So it appears that when the computer is shutdown or rebooted, during the reboot and the login process the wireless GPO policy is not processed but when you logoff and logon the wireless GPO policy is processed. 

    Sorry for the long post. Hope this making sense to someone.

    Thanks for the time,

    Bob

    Friday, April 22, 2016 5:21 PM

Answers

All replies

  • Did you try to use GPO preferences like IP address range? Usually Lan and Wireless are divided into different pools.

    https://technet.microsoft.com/en-us/library/dn581922.aspx

    If you configure your GPO to apply when client's address is on special address pool, that could make sense.

    Friday, April 22, 2016 9:59 PM
  • Hi Bob,

    We want to have the ability to create a domain password policy so that our wireless client computers will get prompted to change their passwords when prompted (right now our default domain policy is not setup yet to force password changes) at login

    >>>To achieve your goal, you could configure the policy Interactive logon: Prompt user to change password before expirationunder the path below.

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    For more information, you could refer to the article below.

    Interactive logon: Prompt user to change password before expiration

    https://technet.microsoft.com/en-us/library/jj852243.aspx

    Group Policy also refreshes GPOs on a regular basis, ensuring that Group Policy applies new and changed GPOs without waiting for the computer to restart or the user to log off. The period of time between these refreshes is called the Group Policy refresh interval, and the default is 90 minutes with a bit of randomness built in to prevent all computers from refreshing at the same time. If you change a GPO in the middle of the day, Group Policy will apply your changes within about 90 minutes. You don’t have to wait until the end of the day, when users have logged off of or restarted their computers. In advanced scenarios, you can change the default refresh interval.

    If you want the policy process immediately, you could run the command Gpupdate /force on the object of GPO.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, April 27, 2016 3:12 AM
    Moderator
  • Hi Jay,

    Yes, i'm aware when GPO refreshes and even after I do the gpupdate /force command I still have the same issue. What i'm testing is changing a test user account to prompt the user to change password at next login.  When I boot up any test computer (again this testing logging in to our radius/secure wireless) the previous password credentials are cached allowing the login process to occur (and at login there is nothing showing me I'm logging in from the Wireless Policy).  As soon as I logoff I see at the logon screen the wireless policy will apply when I login and I get prompted to change the password.  As soon as I reboot the computer i'm back to the same issue.

    Bob

    Wednesday, April 27, 2016 12:36 PM
  • Hi Bob,

    You could try to use the tool to clear cached credential on Windows.

    For more information, you could refer to the article below.

    Clear Cached Credentials/Passwords Stored in Windows Credential Manager

    https://gallery.technet.microsoft.com/scriptcenter/Clear-Cached-CredentailsPas-981564bf

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 04, 2016 2:42 AM
    Moderator