Jump to content


TomF

Group Policies not being applied

Recommended Posts

We have found out by our users we're having an issue with group policies being applied to our students (I work for a school division). What is happening is that our computers will go to standby mode after a time period and the students have learned that if they wake the machine and log in extremely quick, the User portion of their Group Policy is not getting applied by the time they login. Things we can see that are not being applied because of this is their wallpaper, folder redirection, proxy settings, etc. I have done some searching but haven't found much for help :(

 

We currently have the "Computer-Admin Temp-System-Logon-Always wait for teh network at computer startup and logon" set to Enabled, but it is still happening. Any ideas would be greatly appreciated, thanks!!

Share this post


Link to post
Share on other sites

In my experience this setting is better set as a solo GPO and selected as the highest priority gpo to run... Specified as enforced it should kick in quite quickly... If the gpo is taking a long time to apply, this may or may not be an option.

 

I also have a login script built in vbs that blanks the screen with nothing but our logo on it until all the drives are mapped.... There's a rudimentary copy of this script in the scripting forum here if you wanted to check it out.

 

One question, what do you mean by quick... 1-2 seconds or more....

If your concern is about them accessing the Internet without the proxy, have your network team add a firewall rule for your LAN segments to drop all traffic except from the proxy server... This should be done by default if using a proxy in schools..

 

I built an education infrastructure for a govt previously and their tricky little buggers to lockout...if you don't have a firewall to do this, and you have managed switches you can use an access list or group on the switch ... Messy but works

Share this post


Link to post
Share on other sites

In my experience this setting is better set as a solo GPO and selected as the highest priority gpo to run... Specified as enforced it should kick in quite quickly... If the gpo is taking a long time to apply, this may or may not be an option.

 

I also have a login script built in vbs that blanks the screen with nothing but our logo on it until all the drives are mapped.... There's a rudimentary copy of this script in the scripting forum here if you wanted to check it out.

 

One question, what do you mean by quick... 1-2 seconds or more....

If your concern is about them accessing the Internet without the proxy, have your network team add a firewall rule for your LAN segments to drop all traffic except from the proxy server... This should be done by default if using a proxy in schools..

 

I built an education infrastructure for a govt previously and their tricky little buggers to lockout...if you don't have a firewall to do this, and you have managed switches you can use an access list or group on the switch ... Messy but works

 

My understanding is Enforced just means that it cannot be overwritten by a policy being applied further down the chain. It is currently set at the domain level policy for all users, I also tried applying this at the OU level of where the user account is and had the same results.

 

By quick I mean them authenticating within 5 seconds of the Ctrl+Alt+Del window appearing after the machine wakes up from a sleep state.

 

We are working on limiting our internet access to only go out from our proxy, but unfortunately as a school division we have software that cannot be configured to do so. This is common with education/health care facilities, but we are going in that direction, but it doesn't fix the fact the rest of the policies are not being applied in time. They are getting access to Start Menu items, Control Panel items, etc that they shouldn't.

 

And working for an education division, we have a firewall that can do this :) Just current software limitations won't allow it, but again, isn't much of a fix if we're only resolving 1/4th of the issues that come of them bypassing it this way. We also use HP dc5800 PC's, so they are not slow/outdated with a GIG LAN between it and the domain controller.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...