Link to home
Start Free TrialLog in
Avatar of compdigit44
compdigit44

asked on

Blocking GP Policy when authentication to a remote site

We have 7 internal Windows 2008 R2 DC's and one remote DC hosted at partner site. User run a application which is web based and hosted by the partner site and authenticated by the remote DC which does have its own AD Site. The problem we are still is that user are stating that logins are taking a long time and believe this is do to group policy since mapped driver and aother setting are trying to be applied but are failing.

How can I block the processing of GP's if user are authenticated by this remote DC? Also the application / vendor does not support ADFS... :-(

Also I work in a very large environment and have 100 GP's that could be causing a problem here..

Maybe create a WMI filter that would work like:  "if authenticate DC is like ...... do not appy GP"
Avatar of compdigit44
compdigit44

ASKER

Here is what I am thinking... create a WMI query that will look at the client AD Site and if it does not make two possible names would not apply the GP...

https://social.technet.microsoft.com/Forums/en-US/a46147f1-f2c5-4e86-b1d1-6c3ebb91dbec/detecting-the-sccm-dp-or-ad-site?forum=configmgrgeneral

Thoughts???
Avatar of Ed OConnor
Before you go blocking policy processing, have you looked at the netlogon.log to see what part of the logon process is delaying the experience?  Do you know for sure these clients are authenticating to the DC in the site?

Aside from netlogon.log, Microsoft provides tools to troubleshoot long logons detailed here:
Troubleshooting tools (MS)

Theres also a very good article from Technet Blogs which goes over troubleshooting techniques for long logons:
Troubleshooting slow logons (Technet)

In my opinion, disabling all policies isnt a solution and even if you are using it as a troubleshooting step, its heavy handed and probably unneccessary.  It may be the problem is related to a policy, but there are better ways to determine that.
I totally understand... the situation we here here is unique and if all setup to support a remote application no by choice...

WOuld my idea of create a wmi query to look at the client Ad site work??? If how can I test to make sure my WMI query syntax is correct and that all object referenced are valid on the workstation
Ive never done it, so I cant say if it would work or not.  WMI should be able to identify if a client is in a specific site though.  You may also try blocking policy inheritance at the site level, but again, thats really a "smashmouth" approach.

I still think theres a better way to troubleshoot this and just because this was forced on you, doesn't mean you cant engineer a good solution.
Can you block all GP's at the site level?
My mistake, no.  You cant block them at the site.
I have been using powershell "Get-WMiObject" to get a feel of what type of object WMI is collecting and I am not seeing one relating to AD sites.
I would start by moving appropriate domain level GPOs to be site level GPOs
can you post a screenshot of your GPMC?  This may help us give recommendations .
Please redact all personal information.

What ArneLovius is suggested is the path I was going to suggest.
I am sorry for the delay in getting back to everyone I was out sick a couple of days this week and playing catchup..

Here is the deal...
All users are members of the same domain. The remote site has a DC at another location that is used by our vendor for authentication to one of their special application that they host. (And no they do not support ADFS)..

When users log into the application which is host via Citrix by the remote company. User log in using our / their default network credentials, which in turn tries to pull their user based GP's drive mapping etc... I would like to block all GP from process is the users DC is that which match the IP of the remote site..

Our GP are a bit of a mess right now I will give you that but nothing is applied at the site level and only at the Domain and OU levels..

Hope this helps and thanks again...
So the remote physical site is not a site in AD ? and does not have a local DC ?

Create it as a site in AD Sites and Services, and apply the appropriate subnet to it, then unlink the appropriate GPO from the root of the domain, and relink them to the appropriate sites
The remote DC is in its own site. I cannot unlink the GP from the domain since out GP structure is not the best right now and would break things. This is why I was asking if a WMI filter could be created to look at the client authenticate DC name and or IP and if it matches or does not match a list would block the policy from being applied
SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes previous admin before did alert the default domain policy which is why I was asking about the WMI filter...

So if WMI filter old take affect it he criteria is met how would I setup a filter to look at the clients AD site or authenticate DC's name or IP range
when the users logon to their computer it takes a long time or is it a terminal server that they are logging into?

Computers and Users GPO's process pretty quickly. So if you have 100 GPO's each setup to do a specific setting vs one or two gpo's that have all the settings in them you will not really notice the difference if your environment is setup properly.  There is something else that is causing this.  

Is your sites and services setup properly?  
Do you  have Verbose logging enabled for GP to see what GP maybe the one causing the slow down.
When enabled it will log how long each GPO took to process.

https://technet.microsoft.com/en-us/library/cc775423(v=ws.10).aspx
http://www.thewindowsclub.com/enable-verbose-status-message-windows
Thank you for all of the feedback everyone....... What I am really asking here is if it is even possible to create a WMI filter to look at the users login DC or AD Site in order to continue processing...

 I was able to find a work around to my issue which is really the other companies application issue but wondering about this for my own knowledge now

Thanks Again
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you very much for all of your help
You want to use a NOT clause to exclude the remote site.
Please request admin assistance.  I feel points should be distributed to ArneLovius as well.
will do... sorry everyone