Solved

Applying group policies over slow links

Posted on 2013-12-03
10
442 Views
Last Modified: 2013-12-04
Hi experts.

First, as with all my latest questions, a "disclaimer": Please only participate if you have met and solved this very problem yourself before.

We use several laptops (win7 x64, domain joined) that connect to our domain via VPN. The network connection can be really slow as it is hotel WLAN or UMTS, sometimes under bad conditions.
Problem: for our users, applying GPOs (computer and user level) takes too long, it takes some time to logon. We would like to apply the GPOs after logon.

My plan was to set the startup type of the Group policy client service to manual and start it after logon via a scheduled task. This works, but introduces a new problem: standard users may not logon any more. I searched, found a hack, http://ayuanx.wordpress.com/2011/08/05/disable-group-policy-win7/ - but that introduces new problems, which I will not spread out here.

Disclaimer, part II: I am also well aware that "slow link detection" exists, but it does not make it any better. Also, using local users, working without the network connection is not an option.

What could I do instead?
0
Comment
Question by:McKnife
10 Comments
 
LVL 18

Assisted Solution

by:Sarang Tinguria
Sarang Tinguria earned 250 total points
ID: 39693365
Hello McKnife,

Have you checked this.??

Apply Group Policy for computers asynchronously during startup
http://msdn.microsoft.com/en-us/library/ms812908.aspx

Apply Group Policy for users asynchronously during logon
http://msdn.microsoft.com/en-us/library/ms812997.aspx
0
 
LVL 53

Author Comment

by:McKnife
ID: 39693497
Hi Sarang.
Where do I find the user policy you mention on a modern DC (2008 and up)? It seems to have changed since Windows 2000, it is nowhere to be found.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 39693540
It is also known as fast logon optimization (async processing).  It is on by default now  http://technet.microsoft.com/en-us/magazine/gg486839.aspx

Have you downloaded the Windows ADK and tried to analyze the boot time.  Matt Reynolds has a great presentation on it  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/WCA-B317#fbid=LVRiUypTE1s

Thanks

Mike
0
 
LVL 53

Author Comment

by:McKnife
ID: 39693593
Hi Mike.

I know. Fast logon optimization should be at default, that is: on. Nevertheless when logging on, we see policies applying for about a minute at 5mbit per sec umts.

It's not the boot time. That's very fast.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39694645
What policies you have applied can you lets know if is causing delay in time.Check the event log on client computer for any failure og GPO.Have a look at this too.

Group Policy and Logon Impact
http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 53

Author Comment

by:McKnife
ID: 39694803
Let me "set this on hold". Some misconfiguration was found.
Will be back soon, I think it is soon solved.
0
 
LVL 53

Author Comment

by:McKnife
ID: 39694834
Ok, solved.
Misconfig: For diagnostics, the local policy "always wait for the network" was set, which equals shutting down the fast logon optimization. The option was simply forgotten to be taken back. Duh!

I will split the points as you both helped.

I will ask a related question soon, two even, if you are interested. I'll share the links here soon.
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 39694835
Thanks!
0
 
LVL 53

Author Comment

by:McKnife
ID: 39694911
See http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28309822.html
[the second related question mentioned won't follow, also solved]
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 39695147
Glat to hear that specific issue has been resolved
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now