How to make laptops log into the domain via VPN for updates?
Domain Administration, Group Policy, Group Policy management, Updates, VPN, VPN security, Wireless in 2010
Our laptops rarely connect to the domain. We have group policy on them from when they did. How can we require them to log into the domain via VPN to update their machines? Can we force this to happen or will we have to email everyone and tell them to do it? Are there applications that "phone home" and update GP?
Software/Hardware used:
Software/Hardware used:
ASKED:
August 30, 2010 8:25 PM
UPDATED:
September 15, 2010 9:27 PM
Answer Wiki:
If you have a Windows 2008 R2 domain you can use the new direct access feature of Windows 2008 R2 and Windows 7 to do this automatically.
What is the VPN solution are you using? Windows VPN or Cisco VPN or something else?
***************************
This sounds to me like more of a culture problem than anything else. We provide instructions through corporate policy that users are required to connect at specific times for maintenance. If it is MS updates you are concerned with, and if you have situtions where this will not be feasible, at least configure those machines to obtain their updates automatically from the internet. Again, you have to make your users do this, and that can be a challenge itself.
-----------
If your end users are using Windows 7 (or can be upgraded to Windows 7) look at the direct access feature. With it the remote computers will automatically connect back to the network via an SSL encrypted tunnel for things like GPO updates, Windows patches from a WSUS server, etc. Basically whenever a users computer needs access to the company network the machine automatically connects to the network and gets the data it needs, then disconnects. I wrote about it in the book <a href="http://www.amazon.com/Microsoft-Windows-Administrators-Reference-Upgrading/dp/1597495611/ref=ntt_at_ep_dpt_2">Microsoft Windows 7 Administrator's Reference: Upgrading, Deploying, Managing, and Securing Windows 7</a>
To see all answers submitted to the Answer Wiki: View Answer History.
Another consideration is to setup a split IPSec tunnel (VPN) that is constantly connected or connects on a schedule to your corporate network so that they receive updates.
You can do the same with any VPN product that has a command line interface.
One issue to consider is split tunneling. Some security groups are not happy allowing split tunnelling. So if you bring up the VPN without split tunneling the system now routes everything through the corporate network. Having the routing switch back and forth will cause user issues.
In addition to all the other suggestions:
Do your users regularly VPN into your network? If they do, so long as they are connected long enough for a GPO refresh to occur, they should be updated.
Another option if not is to create a task that does an update for them and distribute the task to everyone.
The task needs to run a script to update the GPO. Having a VPN connection that does not impact the user for this purpose would be advisable.
On to the script:
1. Script checks to see if already connected to company network (simple method ping AD or another internal only resource by CNAME).
2. If not connected to company network, open a VPN to company network.
3. Run GPUDATE / Force.
4. Close VPN.
The next time the user reboots all policies should be updated.
Another alternative is if users are always connecting to the company network but just not staying on long enough for PGO refresh, you can set a task for this as well.
Set this task to run often enough to catch a user on the company network. You have two options for the task action: intelligent script, simple command.
Option simple command: Have the task run GPUDATE /Force
Option script: Like above but it only checks if connected to company network and then runs GPUDATE /Force when connected. Allows logging of results for GPUPDATE.
Neither is a great solution. You could add more intelligence by having a master task / script combo that checks for successful update and then reschedules the update say once every two weeks or once a month. Then once running again lets it run until successful then moves the next occurrence out again.
The problem with this solution is if you change the VPN solution you will need to update your scripts. And may need to do so with any upgrades tot he VPN solution.