Forum Discussion

MarcoMangiante's avatar
MarcoMangiante
Iron Contributor
Jun 17, 2020

Group Policy via vpn connection

Hello,   I created on Windows Server 2016 a group policy to distribute a root CA to my employee notebooks; I tried it in a test lab and it does work, but the test is with a dc vm and a workstation ...
Active Directory
Group Policy
Windows Server
MuazOnline's avatar
MuazOnline
Copper Contributor
Jun 18, 2020
Hi Marco
my experience with this was to setup VPN then remote as admin (since end user profile doesn't know anything yet about your VPN) assuming you have remoting solution on end user's computer.
then apply gpupdate /force then switch user while VPN still connected and have user login and finally do gpupdatep /r to see if new gpos are applied
  • MarcoMangiante's avatar
    MarcoMangiante
    Iron Contributor
    Jun 19, 2020

    Hello,

    I've done some testing with a virtual machine and also attaching my tablet to the company AD: after some restart and trial to apply the Group Policy, it seems that something was working using the VPN with my account (never used the domain admin in VPN); however, there are things that I don't understand so well so I can replicate the procedure at all; where I can find on doc.microsoft.com documentation about the Group Policy in Windows Server 2016: I tried to do a research but without luck.

    • PrisBilek's avatar
      PrisBilek
      Copper Contributor
      Jun 24, 2021

      MarcoMangiante 

       

      Hey there, I know that this thread is old, but I would like to let here some useful information for another people who are looking for it.

      The thread is about an XP client, but the explanation is awesome and the procedure to resolve it is the same.

       

      Please, check it out:

      https://social.technet.microsoft.com/forums/windowsserver/en-US/7426a93d-b13e-4dc7-90dc-74acdcf362a1/vpn-and-group-policy

       

      About Win10 procedure (it changes a little):

      https://community.spiceworks.com/topic/2261921-deploy-gpo-for-plain-win10-vpn-connection-before-domain-login

      https://community.spiceworks.com/topic/1986599-how-do-i-enable-network-sign-in-on-windows-10-login-screen

       

      Bye Bye.

      Pris.

  • MarcoMangiante's avatar
    MarcoMangiante
    Iron Contributor
    Jun 18, 2020

    MuazOnline

     

    MuazOnline wrote:
    Hi Marco
    my experience with this was to setup VPN then remote as admin (since end user profile doesn't know anything yet about your VPN) assuming you have remoting solution on end user's computer.
    then apply gpupdate /force then switch user while VPN still connected and have user login and finally do gpupdatep /r to see if new gpos are applied

    so you suggest to access the employee computer, when the vpn is up, via remote desktop accessing with domain administrator account, then on domain controller apply the policy (gpupdate /force) and switch on the computer and let the user login: right? I'll try this.

     

    (since end user profile doesn't know anything yet about your VPN) 

    when you say this, you reference user profile on client notebook or in AD?

    I also tried to configure the vpn so it is possible to connect to the vpn at login but have no luck, I have same error.

     

    I've also seen that, sometimes (and sincerely I don't know at this time to replicate this), if in Group Policy Management in AD I click on the OU where the policy is linked, and choose Group Policy Update and try to apply, the policy is correctly executed.. but on the notebook there is no corresponding result.

     

    Any idea is appreciated.

Resources