Link to home
Create AccountLog in
Avatar of SpammyChicken
SpammyChicken

asked on

Domain login scripts won't run on laptops using a wireless connection.

I have a server 2008 r2 domain controller and I’ve noticed that if you login with a computer using a wireless connection, it uses cached credentials because the wireless doesn’t connect until after windows is booted.   This means my login scripts don’t run and you can’t sign in with a user that hasn’t logged into that computer yet because it’s not cached.  My laptops are running XP Pro, Vista Pro and 7 Pro.  How can I ensure that windows properly authenticates and all scripts run without having to plug into a cable every time.
SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Please set this policy (do it locally for a test) and reboot: http://support.microsoft.com/kb/304970/en-us
Computer Configuration
Administrative Templates
System
Logon

Double-click the Always wait for the network at computer startup and logon
Click Enable, and then click OK.
Avatar of SpammyChicken
SpammyChicken

ASKER

@acbrown2010 Thanks for the info.  We are very spread out (12 different offices) and are geographically dispersed.  All the AP’s are named differently, with different passwords.  This makes the GPO with the profile info inefficient.  Most of my laptop are running XP.  

@McKnife  I tried that setting and it just kept my laptop (running 7 Pro) from ever reaching the login screen.  

I found this post saying they fixed the problem for there XP laptops.
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/83f36e1d-c1cb-48f2-82da-7ff5e2cd923e
 
When I finally got this running, some of the correct infrastructure was already in place. That would include a trusted domain certificate authority as well as a group policy the specified that the computer automatically makes a certificate request (Computer>Windows Settings>Security>PKI/Automatic Certificate Request Settings). Additionally, the client's wireless connection properties need to specify the following - on the Wireless networks tab, our network is set-up to use WPA for authentication and TKIP for Encryption. The EAP type is PEAP. I think the most important thing here is to make sure that <Authenticate as computer when computer info available> is checked. Most of that was in place, although I did go back and make sure that this last setting was pushed out via group policy.
 
On the domain controller, within <Server Manager> <Roles>, open <Network Policy and Access>, <NPS>. Under <Policies> <Network Policies> make sure that you have a NAP 802.1X(Wireless policy that specifies <Allow access if request matches> Authentication Type = EAP(PEAP)-Microsoft:Smart Card or other Certificate,  NAS Port Type = Wireless - IEEE 802.11 OR Wirelss-other. Also make sure that under <Policies> <Connection Request Policies> you have a NAP 802.1X(wireless) policy that specifies a NAS port type of Wirelss-Other or Wirelss IEEE 802.11, and under settings EAP types of EAP(PEAP) and Microsoft: Smart Care or other certificate. The <Override network policy authentication settings> should be checked on this. This will enable the computer certificate request type and the NAP settings will indicate how to handle those requests.
 
The Network Policies seem to process in order such that the first one that works is fine and if it doesn't work the second one is tried. For this reason, #1 - I felt comfortable adding this NAP policy to the top of the list (as long as I did not remove the ones that had been working, nothing that was currently working would break), #2 - I made sure to add this to the top of the list so that wireless devices would connect using this method (i.e. as a machine).
 
This all seems confusing now and I am sure that I am not giving clear instructions. The truth is I am not an expert at this - this was my first foray into NAP. Howeveer, I knew that there was probably just one thing missing and that was basicly telling the domain to accept computer authentication. Until then, the machines may have tried it, but the domain didn't allow it and so it did not occur until after the user authenticated (which was of course well beyond the time when a startup and/or logon script should have initiated).
 
I hope this helps you. If something is not clear, I am happy to try to answer questions. This was a MAJOR problem in the administration of our network and we are just so very happy to have it working now. Please let me know how you make out!
 
Andi
If it does not reach the login screen then the wireless network connection is obviously unable to connect pre-logon. You should update the driver of the wireless NIC and retry. If no better, please contact the manufacturer of the wlan card for support, he should be aware of the problem and this oughta work.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Is there a way to change over to the windows wireless client with a GPO?
I don't think so.
Thanks guys, I'm sure I'll get it figured out when I find the time.