?
Solved

Blocking GP Policy when authentication to a remote site

Posted on 2016-09-29
23
Medium Priority
?
130 Views
Last Modified: 2016-10-10
We have 7 internal Windows 2008 R2 DC's and one remote DC hosted at partner site. User run a application which is web based and hosted by the partner site and authenticated by the remote DC which does have its own AD Site. The problem we are still is that user are stating that logins are taking a long time and believe this is do to group policy since mapped driver and aother setting are trying to be applied but are failing.

How can I block the processing of GP's if user are authenticated by this remote DC? Also the application / vendor does not support ADFS... :-(

Also I work in a very large environment and have 100 GP's that could be causing a problem here..

Maybe create a WMI filter that would work like:  "if authenticate DC is like ...... do not appy GP"
0
Comment
Question by:compdigit44
  • 10
  • 5
  • 3
  • +1
21 Comments
 
LVL 20

Author Comment

by:compdigit44
ID: 41821793
Here is what I am thinking... create a WMI query that will look at the client AD Site and if it does not make two possible names would not apply the GP...

https://social.technet.microsoft.com/Forums/en-US/a46147f1-f2c5-4e86-b1d1-6c3ebb91dbec/detecting-the-sccm-dp-or-ad-site?forum=configmgrgeneral

Thoughts???
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41821891
Before you go blocking policy processing, have you looked at the netlogon.log to see what part of the logon process is delaying the experience?  Do you know for sure these clients are authenticating to the DC in the site?

Aside from netlogon.log, Microsoft provides tools to troubleshoot long logons detailed here:
Troubleshooting tools (MS)

Theres also a very good article from Technet Blogs which goes over troubleshooting techniques for long logons:
Troubleshooting slow logons (Technet)

In my opinion, disabling all policies isnt a solution and even if you are using it as a troubleshooting step, its heavy handed and probably unneccessary.  It may be the problem is related to a policy, but there are better ways to determine that.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41821899
I totally understand... the situation we here here is unique and if all setup to support a remote application no by choice...

WOuld my idea of create a wmi query to look at the client Ad site work??? If how can I test to make sure my WMI query syntax is correct and that all object referenced are valid on the workstation
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41821954
Ive never done it, so I cant say if it would work or not.  WMI should be able to identify if a client is in a specific site though.  You may also try blocking policy inheritance at the site level, but again, thats really a "smashmouth" approach.

I still think theres a better way to troubleshoot this and just because this was forced on you, doesn't mean you cant engineer a good solution.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41822042
Can you block all GP's at the site level?
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41822112
My mistake, no.  You cant block them at the site.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41824298
I have been using powershell "Get-WMiObject" to get a feel of what type of object WMI is collecting and I am not seeing one relating to AD sites.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41826664
I would start by moving appropriate domain level GPOs to be site level GPOs
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41827321
can you post a screenshot of your GPMC?  This may help us give recommendations .
Please redact all personal information.

What ArneLovius is suggested is the path I was going to suggest.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41832801
I am sorry for the delay in getting back to everyone I was out sick a couple of days this week and playing catchup..

Here is the deal...
All users are members of the same domain. The remote site has a DC at another location that is used by our vendor for authentication to one of their special application that they host. (And no they do not support ADFS)..

When users log into the application which is host via Citrix by the remote company. User log in using our / their default network credentials, which in turn tries to pull their user based GP's drive mapping etc... I would like to block all GP from process is the users DC is that which match the IP of the remote site..

Our GP are a bit of a mess right now I will give you that but nothing is applied at the site level and only at the Domain and OU levels..

Hope this helps and thanks again...
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41833705
So the remote physical site is not a site in AD ? and does not have a local DC ?

Create it as a site in AD Sites and Services, and apply the appropriate subnet to it, then unlink the appropriate GPO from the root of the domain, and relink them to the appropriate sites
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41834309
The remote DC is in its own site. I cannot unlink the GP from the domain since out GP structure is not the best right now and would break things. This is why I was asking if a WMI filter could be created to look at the client authenticate DC name and or IP and if it matches or does not match a list would block the policy from being applied
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1000 total points
ID: 41834956
if you create an AD site for each physical site, you could link the GPO to each site that needs it, and not link it to the site that does not need it.

This is presuming that it is a specific GPO and not the default domain policy.

If you have modified the default domain policy, then a WMI filter is the only way to go

However WMI filters are designed to include based on a filter rather than exclude, so while it is simple to build a filter if say the default gateway is 192.168.1.1, if you invert the filter with a NOT, then it would active on every gateway that is not 192.168.1.1, including 127.0.0.1 and any IPv6 gateway, so to use the gateway to effectively exclude you would need to OR every possibly gateway, which doesn't scale...
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41835101
Yes previous admin before did alert the default domain policy which is why I was asking about the WMI filter...

So if WMI filter old take affect it he criteria is met how would I setup a filter to look at the clients AD site or authenticate DC's name or IP range
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41835166
when the users logon to their computer it takes a long time or is it a terminal server that they are logging into?

Computers and Users GPO's process pretty quickly. So if you have 100 GPO's each setup to do a specific setting vs one or two gpo's that have all the settings in them you will not really notice the difference if your environment is setup properly.  There is something else that is causing this.  

Is your sites and services setup properly?  
Do you  have Verbose logging enabled for GP to see what GP maybe the one causing the slow down.
When enabled it will log how long each GPO took to process.

https://technet.microsoft.com/en-us/library/cc775423(v=ws.10).aspx
http://www.thewindowsclub.com/enable-verbose-status-message-windows
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41835271
Thank you for all of the feedback everyone....... What I am really asking here is if it is even possible to create a WMI filter to look at the users login DC or AD Site in order to continue processing...

 I was able to find a work around to my issue which is really the other companies application issue but wondering about this for my own knowledge now

Thanks Again
0
 
LVL 24

Accepted Solution

by:
yo_bee earned 1000 total points
ID: 41835278
Yes you can have the subnet queried  http://ravingroo.com/1364/wmi-filter-apply-group-policy-specific-ip-subnet/. This should work, but it needs to be applied to all GPO's to block them from applying.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41835406
Thank you very much for all of your help
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41835408
You want to use a NOT clause to exclude the remote site.
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41835411
Please request admin assistance.  I feel points should be distributed to ArneLovius as well.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41836085
will do... sorry everyone
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Web hosting control panels were first developed to make it faster and easier for most users to set up and operate websites. The graphical user interface (GUI) allows users to perform tasks by pointing and clicking rather than typing highly specific…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question