Group Policy via vpn connection

%3CLINGO-SUB%20id%3D%22lingo-sub-1471557%22%20slang%3D%22en-US%22%3EGroup%20Policy%20via%20vpn%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1471557%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20on%20Windows%20Server%202016%20a%20group%20policy%20to%20distribute%20a%20root%20CA%20to%20my%20employee%20notebooks%3B%20I%20tried%20it%20in%20a%20test%20lab%20and%20it%20does%20work%2C%20but%20the%20test%20is%20with%20a%20dc%20vm%20and%20a%20workstation%20vm%20inside%20the%20same%20network.%3C%2FP%3E%3CP%3EAll%20the%20notebooks%20now%20are%20in%20the%20employees%20house%20so%20I%20tried%20to%20test%20distribute%20the%20gpo%20via%20the%20vpn%20connection%20to%20my%20office%20network%2C%20but%20it%20seems%20that%20the%20computer%20policy%20is%20not%20updated%3B%20if%20I%20do%20a%20simple%20gpupdate%20%2Fforce%20I%20obtain%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3EComputer%20policy%20could%20not%20be%20updated%20successfully.%20The%20following%20errors%20were%20encountered%3A%0A%0AThe%20processing%20of%20Group%20Policy%20failed%20because%20of%20lack%20of%20network%20connectivity%20to%20a%20domain%20controller.%20This%20may%20be%20a%20transient%20condition.%20A%20success%20message%20would%20be%20generated%20once%20the%20machine%20gets%20connected%20to%20the%20domain%20controller%20and%20Group%20Policy%20has%20successfully%20processed.%20If%20you%20do%20not%20see%20a%20success%20message%20for%20several%20hours%2C%20then%20contact%20your%20administrator.%0AUser%20Policy%20could%20not%20be%20updated%20successfully.%20The%20following%20errors%20were%20encountered%3A%0A%0AThe%20processing%20of%20Group%20Policy%20failed%20because%20of%20lack%20of%20network%20connectivity%20to%20a%20domain%20controller.%20This%20may%20be%20a%20transient%20condition.%20A%20success%20message%20would%20be%20generated%20once%20the%20machine%20gets%20connected%20to%20the%20domain%20controller%20and%20Group%20Policy%20has%20successfully%20processed.%20If%20you%20do%20not%20see%20a%20success%20message%20for%20several%20hours%2C%20then%20contact%20your%20administrator.%0A%0ATo%20diagnose%20the%20failure%2C%20review%20the%20event%20log%20or%20run%20GPRESULT%20%2FH%20GPReport.html%20from%20the%20command%20line%20to%20access%20information%20about%20Group%20Policy%20results.%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20to%20start%20the%20troubleshooting%3F%20First%20of%20all%3A%20is%20it%20possible%20to%20distribute%20computer%20gpo%20via%20vpn%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMarco%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1471557%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGroup%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473504%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20Policy%20via%20vpn%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473504%22%20slang%3D%22en-US%22%3EHi%20Marco%3CBR%20%2F%3Emy%20experience%20with%20this%20was%20to%20setup%20VPN%20then%20remote%20as%20admin%20(since%20end%20user%20profile%20doesn't%20know%20anything%20yet%20about%20your%20VPN)%20assuming%20you%20have%20remoting%20solution%20on%20end%20user's%20computer.%3CBR%20%2F%3Ethen%20apply%20gpupdate%20%2Fforce%20then%20switch%20user%20while%20VPN%20still%20connected%20and%20have%20user%20login%20and%20finally%20do%20gpupdatep%20%2Fr%20to%20see%20if%20new%20gpos%20are%20applied%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1474352%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20Policy%20via%20vpn%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1474352%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F260829%22%20target%3D%22_blank%22%3E%40MuazOnline%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F260829%22%20target%3D%22_blank%22%3E%40MuazOnline%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3EHi%20Marco%3CBR%20%2F%3Emy%20experience%20with%20this%20was%20to%20setup%20VPN%20then%20remote%20as%20admin%20(since%20end%20user%20profile%20doesn't%20know%20anything%20yet%20about%20your%20VPN)%20assuming%20you%20have%20remoting%20solution%20on%20end%20user's%20computer.%3CBR%20%2F%3Ethen%20apply%20gpupdate%20%2Fforce%20then%20switch%20user%20while%20VPN%20still%20connected%20and%20have%20user%20login%20and%20finally%20do%20gpupdatep%20%2Fr%20to%20see%20if%20new%20gpos%20are%20applied%3CBR%20%2F%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3Eso%20you%20suggest%20to%20access%20the%20employee%20computer%2C%20when%20the%20vpn%20is%20up%2C%20via%20remote%20desktop%20accessing%20with%20domain%20administrator%20account%2C%20then%20on%20domain%20controller%20apply%20the%20policy%20(gpupdate%20%2Fforce)%20and%20switch%20on%20the%20computer%20and%20let%20the%20user%20login%3A%20right%3F%20I'll%20try%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E(since%20end%20user%20profile%20doesn't%20know%20anything%20yet%20about%20your%20VPN)%26nbsp%3B%3CBR%20%2F%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3Ewhen%20you%20say%20this%2C%20you%20reference%20user%20profile%20on%20client%20notebook%20or%20in%20AD%3F%3C%2FP%3E%3CP%3EI%20also%20tried%20to%20configure%20the%20vpn%20so%20it%20is%20possible%20to%20connect%20to%20the%20vpn%20at%20login%20but%20have%20no%20luck%2C%20I%20have%20same%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20also%20seen%20that%2C%20sometimes%20(and%20sincerely%20I%20don't%20know%20at%20this%20time%20to%20replicate%20this)%2C%20if%20in%20Group%20Policy%20Management%20in%20AD%20I%20click%20on%20the%20OU%20where%20the%20policy%20is%20linked%2C%20and%20choose%20Group%20Policy%20Update%20and%20try%20to%20apply%2C%20the%20policy%20is%20correctly%20executed..%20but%20on%20the%20notebook%20there%20is%20no%20corresponding%20result.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20is%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1478094%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20Policy%20via%20vpn%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1478094%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI've%20done%20some%20testing%20with%20a%20virtual%20machine%20and%20also%20attaching%20my%20tablet%20to%20the%20company%20AD%3A%20after%20some%20restart%20and%20trial%20to%20apply%20the%20Group%20Policy%2C%20it%20seems%20that%20something%20was%20working%20using%20the%20VPN%20with%20my%20account%20(never%20used%20the%20domain%20admin%20in%20VPN)%3B%20however%2C%20there%20are%20things%20that%20I%20don't%20understand%20so%20well%20so%20I%20can%20replicate%20the%20procedure%20at%20all%3B%20where%20I%20can%20find%20on%20doc.microsoft.com%20documentation%20about%20the%20Group%20Policy%20in%20Windows%20Server%202016%3A%20I%20tried%20to%20do%20a%20research%20but%20without%20luck.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,

 

I created on Windows Server 2016 a group policy to distribute a root CA to my employee notebooks; I tried it in a test lab and it does work, but the test is with a dc vm and a workstation vm inside the same network.

All the notebooks now are in the employees house so I tried to test distribute the gpo via the vpn connection to my office network, but it seems that the computer policy is not updated; if I do a simple gpupdate /force I obtain this:

 

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

 

Where to start the troubleshooting? First of all: is it possible to distribute computer gpo via vpn?

 

Marco

3 Replies
Hi Marco
my experience with this was to setup VPN then remote as admin (since end user profile doesn't know anything yet about your VPN) assuming you have remoting solution on end user's computer.
then apply gpupdate /force then switch user while VPN still connected and have user login and finally do gpupdatep /r to see if new gpos are applied

@MuazOnline

 


@MuazOnline wrote:
Hi Marco
my experience with this was to setup VPN then remote as admin (since end user profile doesn't know anything yet about your VPN) assuming you have remoting solution on end user's computer.
then apply gpupdate /force then switch user while VPN still connected and have user login and finally do gpupdatep /r to see if new gpos are applied

so you suggest to access the employee computer, when the vpn is up, via remote desktop accessing with domain administrator account, then on domain controller apply the policy (gpupdate /force) and switch on the computer and let the user login: right? I'll try this.

 


(since end user profile doesn't know anything yet about your VPN) 

when you say this, you reference user profile on client notebook or in AD?

I also tried to configure the vpn so it is possible to connect to the vpn at login but have no luck, I have same error.

 

I've also seen that, sometimes (and sincerely I don't know at this time to replicate this), if in Group Policy Management in AD I click on the OU where the policy is linked, and choose Group Policy Update and try to apply, the policy is correctly executed.. but on the notebook there is no corresponding result.

 

Any idea is appreciated.

Hello,

I've done some testing with a virtual machine and also attaching my tablet to the company AD: after some restart and trial to apply the Group Policy, it seems that something was working using the VPN with my account (never used the domain admin in VPN); however, there are things that I don't understand so well so I can replicate the procedure at all; where I can find on doc.microsoft.com documentation about the Group Policy in Windows Server 2016: I tried to do a research but without luck.