How to make laptops log into the domain via VPN for updates?

975 pts.
Tags:
Domain Administration
Group Policy
Group Policy management
Updates
VPN
VPN security
Wireless
Our laptops rarely connect to the domain. We have group policy on them from when they did. How can we require them to log into the domain via VPN to update their machines? Can we force this to happen or will we have to email everyone and tell them to do it? Are there applications that "phone home" and update GP?

Answer Wiki

Thanks. We'll let you know when a new response is added.

If you have a Windows 2008 R2 domain you can use the new direct access feature of Windows 2008 R2 and Windows 7 to do this automatically.

What is the VPN solution are you using? Windows VPN or Cisco VPN or something else?

***************************
This sounds to me like more of a culture problem than anything else. We provide instructions through corporate policy that users are required to connect at specific times for maintenance. If it is MS updates you are concerned with, and if you have situtions where this will not be feasible, at least configure those machines to obtain their updates automatically from the internet. Again, you have to make your users do this, and that can be a challenge itself.

———–

If your end users are using Windows 7 (or can be upgraded to Windows 7) look at the direct access feature. With it the remote computers will automatically connect back to the network via an SSL encrypted tunnel for things like GPO updates, Windows patches from a WSUS server, etc. Basically whenever a users computer needs access to the company network the machine automatically connects to the network and gets the data it needs, then disconnects. I wrote about it in the book <a href=”http://www.amazon.com/Microsoft-Windows-Administrators-Reference-Upgrading/dp/1597495611/ref=ntt_at_ep_dpt_2″>Microsoft Windows 7 Administrator’s Reference: Upgrading, Deploying, Managing, and Securing Windows 7</a>

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Pjb0222
    Another consideration is to setup a split IPSec tunnel (VPN) that is constantly connected or connects on a schedule to your corporate network so that they receive updates. You can do the same with any VPN product that has a command line interface. One issue to consider is split tunneling. Some security groups are not happy allowing split tunnelling. So if you bring up the VPN without split tunneling the system now routes everything through the corporate network. Having the routing switch back and forth will cause user issues.
    3,310 pointsBadges:
    report
  • TeachMeIT
    [...] 2. Spadasoe and Mr. Denny helped out a user wondering how to make laptops log into the domain via VPN for updates. [...]
    0 pointsBadges:
    report
  • Pjb0222
    In addition to all the other suggestions: Do your users regularly VPN into your network? If they do, so long as they are connected long enough for a GPO refresh to occur, they should be updated. Another option if not is to create a task that does an update for them and distribute the task to everyone. The task needs to run a script to update the GPO. Having a VPN connection that does not impact the user for this purpose would be advisable. On to the script: 1. Script checks to see if already connected to company network (simple method ping AD or another internal only resource by CNAME). 2. If not connected to company network, open a VPN to company network. 3. Run GPUDATE / Force. 4. Close VPN. The next time the user reboots all policies should be updated. Another alternative is if users are always connecting to the company network but just not staying on long enough for PGO refresh, you can set a task for this as well. Set this task to run often enough to catch a user on the company network. You have two options for the task action: intelligent script, simple command. Option simple command: Have the task run GPUDATE /Force Option script: Like above but it only checks if connected to company network and then runs GPUDATE /Force when connected. Allows logging of results for GPUPDATE. Neither is a great solution. You could add more intelligence by having a master task / script combo that checks for successful update and then reschedules the update say once every two weeks or once a month. Then once running again lets it run until successful then moves the next occurrence out again. The problem with this solution is if you change the VPN solution you will need to update your scripts. And may need to do so with any upgrades tot he VPN solution.
    3,310 pointsBadges:
    report
  • TeachMeIT
    [...] 2. Spadasoe and Mr. Denny helped out a user wondering how to make laptops log into the domain via VPN for updates. [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following