none
Only run Group Policy when computer is on the correct IP range

    Question

  • Hi,

    We are using 802.1x via Cisco AnyConnect NAM. The Windows machines are authenticating quickly enough for Group Policy to run properly.

    Is their a way to make Group Policy run only when the computer is on the correct IP range. We have the Group Policy set to only run once the network starts, but with the 802.1x the computers land in a guest network, so the network has started, just the wrong one.

    Best wishes

    Michael


    Friday, March 27, 2015 5:19 PM

Answers

All replies

  • GP, as a whole? (maybe you could exploit AD site/link/slow-link/per-subnet settings)

    Or, specific GPOs/settings ? (maybe you could use WMI filtering or GPP ILT)

    Which OS on the client machines ? (Windows8/8.1 uses deferred/delayed GP processing)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    Saturday, March 28, 2015 7:53 AM
  • A GPResult and modeling says they're are running, but my profile batch file that maps my drives doesn't run and I also have a logon script that is meant to pin an application to the task bar. That also doesn't run. If I run it from the url in the event log it works fine.

    None of my policies that should install software work either.

    I am seeing Event ID 1130 - https://technet.microsoft.com/en-us/library/cc727309(v=ws.10).aspx

    I also Event ID 1112 and from memory (I'm at home) 108 and 109. Also 1129 - https://technet.microsoft.com/en-us/library/cc727335(v=ws.10).aspx

    None of these issue occurred until we moved to this new 802.1x network. A GPUpdate /force asks for a reboot and this will then take me off the network once more.

    We are using Windows 8.1. I know that their is a 5 minute delay for the logon script and despite reading these has thrown others thinking it wasn't working, this should be good for me :), but it still doesn't run.

    Best wishes

    Michael


    Saturday, March 28, 2015 9:05 AM
  • Hi Michael,

    >>Is their a way to make Group Policy run only when the computer is on the correct IP range.

    For this question, the suggestions provided by Don are reasonable.

    Regarding this point, the following thread and article can also be referred to for more information.

    GPO WMI Filter range of IP Addresses

    https://social.technet.microsoft.com/Forums/windows/en-US/94a1f90b-3cc0-4800-80ba-9f5fa892efeb/gpo-wmi-filter-range-of-ip-addresses

    Preference Item-Level Targeting

    https://msdn.microsoft.com/en-us/library/cc733022.aspx

    IP Address Range Targeting

    https://msdn.microsoft.com/en-us/library/cc732310.aspx

    >>A GPUpdate /force asks for a reboot and this will then take me off the network once more.

    Because of fast logon optimization, some group policy settings like folder redirection, software installation, and drive mapping need us logon twice to get them applied successfully.

    Description of the Windows Fast Logon Optimization feature

    http://support.microsoft.com/en-us/kb/305293Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 30, 2015 7:08 AM
    Moderator
  • Thanks for the feedback. I am trying the WMI filter, but what is the correct namespace?

    I'm using root\CIMv2 and I get this error.



    Monday, April 13, 2015 2:27 PM
  • > I'm using root\CIMv2 and I get this error.
     
    This is a bug in 2012R2. Safely ignore it.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, April 13, 2015 2:29 PM