none
Software Restrictions - Mobile PCs RRS feed

  • Question

  • Hi all:

    I have Software Restrictions currently in Computer Configuration, not User Configuration for my domain. This works just fine for desktop PCs always on the LAN, but laptops that connect intermittently is an issue.

    I know that Computer Configuration applies at system startup and User Configuration applies at logon. But I have users with laptops offsite that rarely reboot their computers (constantly go into standby or hibernation) and connect back to the main network via VPN at a whim.

    I'd really like to get these policies out to them but I'm not sure if it is working.

    If the laptop refreshes Group Policy when it is connected, will Computer Configuration be applied on system startup when it is NOT connected? Same goes for User Configuration. Will it be applied on next logon, even if the laptop is disconnected from the domain at the time?

    Thanks for any help. Just trying to get the best way to send policies like this to laptops. Thanks!
    Wednesday, July 9, 2008 10:29 PM

Answers

  • Howdie!

    Hays33d said:

    I have Software Restrictions currently in Computer Configuration, not User Configuration for my domain. This works just fine for desktop PCs always on the LAN, but laptops that connect intermittently is an issue.

    I know that Computer Configuration applies at system startup and User Configuration applies at logon. But I have users with laptops offsite that rarely reboot their computers (constantly go into standby or hibernation) and connect back to the main network via VPN at a whim.

    I'd really like to get these policies out to them but I'm not sure if it is working.

    If the laptop refreshes Group Policy when it is connected, will Computer Configuration be applied on system startup when it is NOT connected? Same goes for User Configuration. Will it be applied on next logon, even if the laptop is disconnected from the domain at the time?


    Policies applied once will stick even if people are not connected to the corpnet any more. So once they apply the Software Restriction Policy, they take it with them on laptops. It would be a security breach, if unplugging the network cable and rebooting would just make all Group Policy settings (including the security ones you can define) would go away.

    Having said that, connecting over VPN will be sufficient. There's a Group Policy refresh every 90-120 minutes (random) on the machines. So when they're in the corpnet (even through VPN) they'll contact the DC to get the newest GPs. Depending on OS and Service Pack level, it might take a reboot or two to make particularly the SRPs work as expected. But they get applied when connected through VPN.

    cheers,

    Florian

    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Thursday, July 10, 2008 7:04 AM

All replies

  • Howdie!

    Hays33d said:

    I have Software Restrictions currently in Computer Configuration, not User Configuration for my domain. This works just fine for desktop PCs always on the LAN, but laptops that connect intermittently is an issue.

    I know that Computer Configuration applies at system startup and User Configuration applies at logon. But I have users with laptops offsite that rarely reboot their computers (constantly go into standby or hibernation) and connect back to the main network via VPN at a whim.

    I'd really like to get these policies out to them but I'm not sure if it is working.

    If the laptop refreshes Group Policy when it is connected, will Computer Configuration be applied on system startup when it is NOT connected? Same goes for User Configuration. Will it be applied on next logon, even if the laptop is disconnected from the domain at the time?


    Policies applied once will stick even if people are not connected to the corpnet any more. So once they apply the Software Restriction Policy, they take it with them on laptops. It would be a security breach, if unplugging the network cable and rebooting would just make all Group Policy settings (including the security ones you can define) would go away.

    Having said that, connecting over VPN will be sufficient. There's a Group Policy refresh every 90-120 minutes (random) on the machines. So when they're in the corpnet (even through VPN) they'll contact the DC to get the newest GPs. Depending on OS and Service Pack level, it might take a reboot or two to make particularly the SRPs work as expected. But they get applied when connected through VPN.

    cheers,

    Florian

    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Thursday, July 10, 2008 7:04 AM
  • Thanks for the reply, Florian.

    Just as a clarification, in this scenerio. A new GPO is made under Computer Configuration. A laptop user that is offsite, connects on VPN, picks up the policy, disconnects VPN. On their next reboot, that GPO will be applied, even if they are disconnected from the domain during that reboot. Correct?
    Thursday, July 10, 2008 2:18 PM
  • Howdie!
    Hays33d said:

    Thanks for the reply, Florian.

    Just as a clarification, in this scenerio. A new GPO is made under Computer Configuration. A laptop user that is offsite, connects on VPN, picks up the policy, disconnects VPN. On their next reboot, that GPO will be applied, even if they are disconnected from the domain during that reboot. Correct?


    Correct. Group Policy only needs to "download" the settings once. There's no network needed to actually apply the settings. It would be a security issue if one could unplug the network and reboot the machine and all the security settings an admin make on the machine would be gone. So yes, Group Policy applies to user logging on without network connectivity once the policy is refreshed. Make sure they work with they domain profile when they log on without network (cached credentials) rather than a local user account.

    cheers,

    Florian
    Microsoft MVP - Group Policy -- blog: http://www.frickelsoft.net/blog
    Friday, July 11, 2008 5:23 AM