Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Blocking GP Policy when authentication to a remote site

Posted on 2016-09-29
23
Medium Priority
?
125 Views
Last Modified: 2016-10-10
We have 7 internal Windows 2008 R2 DC's and one remote DC hosted at partner site. User run a application which is web based and hosted by the partner site and authenticated by the remote DC which does have its own AD Site. The problem we are still is that user are stating that logins are taking a long time and believe this is do to group policy since mapped driver and aother setting are trying to be applied but are failing.

How can I block the processing of GP's if user are authenticated by this remote DC? Also the application / vendor does not support ADFS... :-(

Also I work in a very large environment and have 100 GP's that could be causing a problem here..

Maybe create a WMI filter that would work like:  "if authenticate DC is like ...... do not appy GP"
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 3
  • +1
23 Comments
 
LVL 20

Author Comment

by:compdigit44
ID: 41821793
Here is what I am thinking... create a WMI query that will look at the client AD Site and if it does not make two possible names would not apply the GP...

https://social.technet.microsoft.com/Forums/en-US/a46147f1-f2c5-4e86-b1d1-6c3ebb91dbec/detecting-the-sccm-dp-or-ad-site?forum=configmgrgeneral

Thoughts???
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41821891
Before you go blocking policy processing, have you looked at the netlogon.log to see what part of the logon process is delaying the experience?  Do you know for sure these clients are authenticating to the DC in the site?

Aside from netlogon.log, Microsoft provides tools to troubleshoot long logons detailed here:
Troubleshooting tools (MS)

Theres also a very good article from Technet Blogs which goes over troubleshooting techniques for long logons:
Troubleshooting slow logons (Technet)

In my opinion, disabling all policies isnt a solution and even if you are using it as a troubleshooting step, its heavy handed and probably unneccessary.  It may be the problem is related to a policy, but there are better ways to determine that.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41821899
I totally understand... the situation we here here is unique and if all setup to support a remote application no by choice...

WOuld my idea of create a wmi query to look at the client Ad site work??? If how can I test to make sure my WMI query syntax is correct and that all object referenced are valid on the workstation
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41821954
Ive never done it, so I cant say if it would work or not.  WMI should be able to identify if a client is in a specific site though.  You may also try blocking policy inheritance at the site level, but again, thats really a "smashmouth" approach.

I still think theres a better way to troubleshoot this and just because this was forced on you, doesn't mean you cant engineer a good solution.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41822042
Can you block all GP's at the site level?
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41822112
My mistake, no.  You cant block them at the site.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41824298
I have been using powershell "Get-WMiObject" to get a feel of what type of object WMI is collecting and I am not seeing one relating to AD sites.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41826664
I would start by moving appropriate domain level GPOs to be site level GPOs
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 41827321
can you post a screenshot of your GPMC?  This may help us give recommendations .
Please redact all personal information.

What ArneLovius is suggested is the path I was going to suggest.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41832801
I am sorry for the delay in getting back to everyone I was out sick a couple of days this week and playing catchup..

Here is the deal...
All users are members of the same domain. The remote site has a DC at another location that is used by our vendor for authentication to one of their special application that they host. (And no they do not support ADFS)..

When users log into the application which is host via Citrix by the remote company. User log in using our / their default network credentials, which in turn tries to pull their user based GP's drive mapping etc... I would like to block all GP from process is the users DC is that which match the IP of the remote site..

Our GP are a bit of a mess right now I will give you that but nothing is applied at the site level and only at the Domain and OU levels..

Hope this helps and thanks again...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41833705
So the remote physical site is not a site in AD ? and does not have a local DC ?

Create it as a site in AD Sites and Services, and apply the appropriate subnet to it, then unlink the appropriate GPO from the root of the domain, and relink them to the appropriate sites
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41834309
The remote DC is in its own site. I cannot unlink the GP from the domain since out GP structure is not the best right now and would break things. This is why I was asking if a WMI filter could be created to look at the client authenticate DC name and or IP and if it matches or does not match a list would block the policy from being applied
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1000 total points
ID: 41834956
if you create an AD site for each physical site, you could link the GPO to each site that needs it, and not link it to the site that does not need it.

This is presuming that it is a specific GPO and not the default domain policy.

If you have modified the default domain policy, then a WMI filter is the only way to go

However WMI filters are designed to include based on a filter rather than exclude, so while it is simple to build a filter if say the default gateway is 192.168.1.1, if you invert the filter with a NOT, then it would active on every gateway that is not 192.168.1.1, including 127.0.0.1 and any IPv6 gateway, so to use the gateway to effectively exclude you would need to OR every possibly gateway, which doesn't scale...
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41835101
Yes previous admin before did alert the default domain policy which is why I was asking about the WMI filter...

So if WMI filter old take affect it he criteria is met how would I setup a filter to look at the clients AD site or authenticate DC's name or IP range
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 41835166
when the users logon to their computer it takes a long time or is it a terminal server that they are logging into?

Computers and Users GPO's process pretty quickly. So if you have 100 GPO's each setup to do a specific setting vs one or two gpo's that have all the settings in them you will not really notice the difference if your environment is setup properly.  There is something else that is causing this.  

Is your sites and services setup properly?  
Do you  have Verbose logging enabled for GP to see what GP maybe the one causing the slow down.
When enabled it will log how long each GPO took to process.

https://technet.microsoft.com/en-us/library/cc775423(v=ws.10).aspx
http://www.thewindowsclub.com/enable-verbose-status-message-windows
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41835271
Thank you for all of the feedback everyone....... What I am really asking here is if it is even possible to create a WMI filter to look at the users login DC or AD Site in order to continue processing...

 I was able to find a work around to my issue which is really the other companies application issue but wondering about this for my own knowledge now

Thanks Again
0
 
LVL 23

Accepted Solution

by:
yo_bee earned 1000 total points
ID: 41835278
Yes you can have the subnet queried  http://ravingroo.com/1364/wmi-filter-apply-group-policy-specific-ip-subnet/. This should work, but it needs to be applied to all GPO's to block them from applying.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41835406
Thank you very much for all of your help
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 41835408
You want to use a NOT clause to exclude the remote site.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 41835411
Please request admin assistance.  I feel points should be distributed to ArneLovius as well.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41836085
will do... sorry everyone
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question