Solved

Blocking GP Policy when authentication to a remote site

Posted on 2016-09-29
23
89 Views
Last Modified: 2016-10-10
We have 7 internal Windows 2008 R2 DC's and one remote DC hosted at partner site. User run a application which is web based and hosted by the partner site and authenticated by the remote DC which does have its own AD Site. The problem we are still is that user are stating that logins are taking a long time and believe this is do to group policy since mapped driver and aother setting are trying to be applied but are failing.

How can I block the processing of GP's if user are authenticated by this remote DC? Also the application / vendor does not support ADFS... :-(

Also I work in a very large environment and have 100 GP's that could be causing a problem here..

Maybe create a WMI filter that would work like:  "if authenticate DC is like ...... do not appy GP"
0
Comment
Question by:compdigit44
  • 10
  • 5
  • 3
  • +1
23 Comments
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
Here is what I am thinking... create a WMI query that will look at the client AD Site and if it does not make two possible names would not apply the GP...

https://social.technet.microsoft.com/Forums/en-US/a46147f1-f2c5-4e86-b1d1-6c3ebb91dbec/detecting-the-sccm-dp-or-ad-site?forum=configmgrgeneral

Thoughts???
0
 
LVL 5

Expert Comment

by:sAMAccountName
Comment Utility
Before you go blocking policy processing, have you looked at the netlogon.log to see what part of the logon process is delaying the experience?  Do you know for sure these clients are authenticating to the DC in the site?

Aside from netlogon.log, Microsoft provides tools to troubleshoot long logons detailed here:
Troubleshooting tools (MS)

Theres also a very good article from Technet Blogs which goes over troubleshooting techniques for long logons:
Troubleshooting slow logons (Technet)

In my opinion, disabling all policies isnt a solution and even if you are using it as a troubleshooting step, its heavy handed and probably unneccessary.  It may be the problem is related to a policy, but there are better ways to determine that.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
I totally understand... the situation we here here is unique and if all setup to support a remote application no by choice...

WOuld my idea of create a wmi query to look at the client Ad site work??? If how can I test to make sure my WMI query syntax is correct and that all object referenced are valid on the workstation
0
 
LVL 5

Expert Comment

by:sAMAccountName
Comment Utility
Ive never done it, so I cant say if it would work or not.  WMI should be able to identify if a client is in a specific site though.  You may also try blocking policy inheritance at the site level, but again, thats really a "smashmouth" approach.

I still think theres a better way to troubleshoot this and just because this was forced on you, doesn't mean you cant engineer a good solution.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
Can you block all GP's at the site level?
0
 
LVL 5

Expert Comment

by:sAMAccountName
Comment Utility
My mistake, no.  You cant block them at the site.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
I have been using powershell "Get-WMiObject" to get a feel of what type of object WMI is collecting and I am not seeing one relating to AD sites.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
I would start by moving appropriate domain level GPOs to be site level GPOs
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
can you post a screenshot of your GPMC?  This may help us give recommendations .
Please redact all personal information.

What ArneLovius is suggested is the path I was going to suggest.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
I am sorry for the delay in getting back to everyone I was out sick a couple of days this week and playing catchup..

Here is the deal...
All users are members of the same domain. The remote site has a DC at another location that is used by our vendor for authentication to one of their special application that they host. (And no they do not support ADFS)..

When users log into the application which is host via Citrix by the remote company. User log in using our / their default network credentials, which in turn tries to pull their user based GP's drive mapping etc... I would like to block all GP from process is the users DC is that which match the IP of the remote site..

Our GP are a bit of a mess right now I will give you that but nothing is applied at the site level and only at the Domain and OU levels..

Hope this helps and thanks again...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
So the remote physical site is not a site in AD ? and does not have a local DC ?

Create it as a site in AD Sites and Services, and apply the appropriate subnet to it, then unlink the appropriate GPO from the root of the domain, and relink them to the appropriate sites
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
The remote DC is in its own site. I cannot unlink the GP from the domain since out GP structure is not the best right now and would break things. This is why I was asking if a WMI filter could be created to look at the client authenticate DC name and or IP and if it matches or does not match a list would block the policy from being applied
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 250 total points
Comment Utility
if you create an AD site for each physical site, you could link the GPO to each site that needs it, and not link it to the site that does not need it.

This is presuming that it is a specific GPO and not the default domain policy.

If you have modified the default domain policy, then a WMI filter is the only way to go

However WMI filters are designed to include based on a filter rather than exclude, so while it is simple to build a filter if say the default gateway is 192.168.1.1, if you invert the filter with a NOT, then it would active on every gateway that is not 192.168.1.1, including 127.0.0.1 and any IPv6 gateway, so to use the gateway to effectively exclude you would need to OR every possibly gateway, which doesn't scale...
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
Yes previous admin before did alert the default domain policy which is why I was asking about the WMI filter...

So if WMI filter old take affect it he criteria is met how would I setup a filter to look at the clients AD site or authenticate DC's name or IP range
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
when the users logon to their computer it takes a long time or is it a terminal server that they are logging into?

Computers and Users GPO's process pretty quickly. So if you have 100 GPO's each setup to do a specific setting vs one or two gpo's that have all the settings in them you will not really notice the difference if your environment is setup properly.  There is something else that is causing this.  

Is your sites and services setup properly?  
Do you  have Verbose logging enabled for GP to see what GP maybe the one causing the slow down.
When enabled it will log how long each GPO took to process.

https://technet.microsoft.com/en-us/library/cc775423(v=ws.10).aspx
http://www.thewindowsclub.com/enable-verbose-status-message-windows
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
Thank you for all of the feedback everyone....... What I am really asking here is if it is even possible to create a WMI filter to look at the users login DC or AD Site in order to continue processing...

 I was able to find a work around to my issue which is really the other companies application issue but wondering about this for my own knowledge now

Thanks Again
0
 
LVL 21

Accepted Solution

by:
yo_bee earned 250 total points
Comment Utility
Yes you can have the subnet queried  http://ravingroo.com/1364/wmi-filter-apply-group-policy-specific-ip-subnet/. This should work, but it needs to be applied to all GPO's to block them from applying.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
Thank you very much for all of your help
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
You want to use a NOT clause to exclude the remote site.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Please request admin assistance.  I feel points should be distributed to ArneLovius as well.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
will do... sorry everyone
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

How can you create a game plan that lets you focus on special projects instead of running from cubicle to cubicle every day and feeling like you’ve accomplished nothing? Try these strategies for prioritizing your tasks, offloading what you can, and …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now