none
Applying Group Policy to computer using Cisco VPN Client RRS feed

  • Question

  • I have a group of users. Each of their computers connects to the corporate network via Cisco's VPN Client software.  I am trying to create a new computer configuration for them, but I am having trouble getting the computer portion of the Group Policy to apply correctly. they are on a high speed and slow network is not decteted.

    The remote computer is a domain member. All the clients are windows XP(SP3) and Domain controller are Windows 2003 server. 

    The process for logging into this new setup is as follows:
    1.  When the user hits Ctrl-Alt-Del to log into the computer, the VPN Client comes up, and the user enters VPN credentials and connects to the network
    2.  The user logs into the computer with a domain account

    The user settings of the Group Policy are applied properly, which makes sense, because when the user actually logs into the machine, there is a network connection to the corporate domain controller.

    Also, it makes sense that the computer settings are not applied when the computer initially boots up, because it has no network connection to a domain controller until the user completes step 1 above.  I've tried running gpupdate to force the application of computer settings, but that doesn't work either.  This gpupdate could be run at the end of the VPN connection in step 1 above.

    Each time the computer boots up, I get an Userenv event ID 1054 in the Application log, presumably because of the lack of network connection.  

    Can anyone provide a solution that will apply the computer settings to this VPN-only computer?  

    Thanks in advance for your help and i would appericate for all the replies.
    Sunday, February 7, 2010 12:37 PM

Answers

  • Ok..I finally got some success with the following settings...I’m posting my solution to help others in the same situation. Please feel free to contribute to this thread.

    1) Eliminate the Slow Link Detection during log-in. This is to be done on the Client side

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    NT\CurrentVersion\Winlogon]
    "GroupPolicyMinTransferRate"=dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Windows
    NT\CurrentVersion\Winlogon]
    "GroupPolicyMinTransferRate"=dword:00000000

    2) Set Kerberos to authenticate over TCP instead of UDP

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
    "MaxPacketSize"=dword:00000001

     This is to be done on Active Directory at OU level

    1)    Enable Group policy refresh interval for computer

    2)    Enable Group policy slow link detection – set the value to Zero

    3)    Enable Always wait for the network at computer startup and logon

    4)    Enable Do Not detect slow network connections

    5)    Enable security policy processing

     

    Not really sure which settings are required but by enabling all of the above my group policy over the cisco VPN client finally worked.

     



    Tuesday, February 23, 2010 1:56 PM