Solved

Blocking GP Policy when authentication to a remote site

Posted on 2016-09-29
23
104 Views
Last Modified: 2016-10-10
We have 7 internal Windows 2008 R2 DC's and one remote DC hosted at partner site. User run a application which is web based and hosted by the partner site and authenticated by the remote DC which does have its own AD Site. The problem we are still is that user are stating that logins are taking a long time and believe this is do to group policy since mapped driver and aother setting are trying to be applied but are failing.

How can I block the processing of GP's if user are authenticated by this remote DC? Also the application / vendor does not support ADFS... :-(

Also I work in a very large environment and have 100 GP's that could be causing a problem here..

Maybe create a WMI filter that would work like:  "if authenticate DC is like ...... do not appy GP"
0
Comment
Question by:compdigit44
  • 10
  • 5
  • 3
  • +1
23 Comments
 
LVL 19

Author Comment

by:compdigit44
ID: 41821793
Here is what I am thinking... create a WMI query that will look at the client AD Site and if it does not make two possible names would not apply the GP...

https://social.technet.microsoft.com/Forums/en-US/a46147f1-f2c5-4e86-b1d1-6c3ebb91dbec/detecting-the-sccm-dp-or-ad-site?forum=configmgrgeneral

Thoughts???
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41821891
Before you go blocking policy processing, have you looked at the netlogon.log to see what part of the logon process is delaying the experience?  Do you know for sure these clients are authenticating to the DC in the site?

Aside from netlogon.log, Microsoft provides tools to troubleshoot long logons detailed here:
Troubleshooting tools (MS)

Theres also a very good article from Technet Blogs which goes over troubleshooting techniques for long logons:
Troubleshooting slow logons (Technet)

In my opinion, disabling all policies isnt a solution and even if you are using it as a troubleshooting step, its heavy handed and probably unneccessary.  It may be the problem is related to a policy, but there are better ways to determine that.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41821899
I totally understand... the situation we here here is unique and if all setup to support a remote application no by choice...

WOuld my idea of create a wmi query to look at the client Ad site work??? If how can I test to make sure my WMI query syntax is correct and that all object referenced are valid on the workstation
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41821954
Ive never done it, so I cant say if it would work or not.  WMI should be able to identify if a client is in a specific site though.  You may also try blocking policy inheritance at the site level, but again, thats really a "smashmouth" approach.

I still think theres a better way to troubleshoot this and just because this was forced on you, doesn't mean you cant engineer a good solution.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41822042
Can you block all GP's at the site level?
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41822112
My mistake, no.  You cant block them at the site.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41824298
I have been using powershell "Get-WMiObject" to get a feel of what type of object WMI is collecting and I am not seeing one relating to AD sites.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41826664
I would start by moving appropriate domain level GPOs to be site level GPOs
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41827321
can you post a screenshot of your GPMC?  This may help us give recommendations .
Please redact all personal information.

What ArneLovius is suggested is the path I was going to suggest.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41832801
I am sorry for the delay in getting back to everyone I was out sick a couple of days this week and playing catchup..

Here is the deal...
All users are members of the same domain. The remote site has a DC at another location that is used by our vendor for authentication to one of their special application that they host. (And no they do not support ADFS)..

When users log into the application which is host via Citrix by the remote company. User log in using our / their default network credentials, which in turn tries to pull their user based GP's drive mapping etc... I would like to block all GP from process is the users DC is that which match the IP of the remote site..

Our GP are a bit of a mess right now I will give you that but nothing is applied at the site level and only at the Domain and OU levels..

Hope this helps and thanks again...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41833705
So the remote physical site is not a site in AD ? and does not have a local DC ?

Create it as a site in AD Sites and Services, and apply the appropriate subnet to it, then unlink the appropriate GPO from the root of the domain, and relink them to the appropriate sites
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41834309
The remote DC is in its own site. I cannot unlink the GP from the domain since out GP structure is not the best right now and would break things. This is why I was asking if a WMI filter could be created to look at the client authenticate DC name and or IP and if it matches or does not match a list would block the policy from being applied
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
ID: 41834956
if you create an AD site for each physical site, you could link the GPO to each site that needs it, and not link it to the site that does not need it.

This is presuming that it is a specific GPO and not the default domain policy.

If you have modified the default domain policy, then a WMI filter is the only way to go

However WMI filters are designed to include based on a filter rather than exclude, so while it is simple to build a filter if say the default gateway is 192.168.1.1, if you invert the filter with a NOT, then it would active on every gateway that is not 192.168.1.1, including 127.0.0.1 and any IPv6 gateway, so to use the gateway to effectively exclude you would need to OR every possibly gateway, which doesn't scale...
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41835101
Yes previous admin before did alert the default domain policy which is why I was asking about the WMI filter...

So if WMI filter old take affect it he criteria is met how would I setup a filter to look at the clients AD site or authenticate DC's name or IP range
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41835166
when the users logon to their computer it takes a long time or is it a terminal server that they are logging into?

Computers and Users GPO's process pretty quickly. So if you have 100 GPO's each setup to do a specific setting vs one or two gpo's that have all the settings in them you will not really notice the difference if your environment is setup properly.  There is something else that is causing this.  

Is your sites and services setup properly?  
Do you  have Verbose logging enabled for GP to see what GP maybe the one causing the slow down.
When enabled it will log how long each GPO took to process.

https://technet.microsoft.com/en-us/library/cc775423(v=ws.10).aspx
http://www.thewindowsclub.com/enable-verbose-status-message-windows
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41835271
Thank you for all of the feedback everyone....... What I am really asking here is if it is even possible to create a WMI filter to look at the users login DC or AD Site in order to continue processing...

 I was able to find a work around to my issue which is really the other companies application issue but wondering about this for my own knowledge now

Thanks Again
0
 
LVL 22

Accepted Solution

by:
yo_bee earned 250 total points
ID: 41835278
Yes you can have the subnet queried  http://ravingroo.com/1364/wmi-filter-apply-group-policy-specific-ip-subnet/. This should work, but it needs to be applied to all GPO's to block them from applying.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41835406
Thank you very much for all of your help
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41835408
You want to use a NOT clause to exclude the remote site.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41835411
Please request admin assistance.  I feel points should be distributed to ArneLovius as well.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41836085
will do... sorry everyone
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question