Re: Windoze GPO Question

["Salvador III Manaois" <badzmanaois () gmail com>]

Hi John,

Some GPO settings (computer- or user-targeted) remain persistent even
when a user is logging in off the corpnet with cached credentials. I
suggest not to use GPOs to define TCP/IP related info such as name
servers to query, gateway, etc; make use of DHCP scope options to
define these instead. When a user logs in (with cached credentials)
out of the corporate network, say via free wifi access inside an
airport, he will get the TCP/IP connection settings from the DHCP
server in the airport which should allow him to browse the internet
and maybe tunnel in to the corporate network to access corporate
resources (email, shared folders, etc.).

And logging in with a local account is a bad idea; these accounts may
not get user-specific restrictions defined for the domain users.
Furthermore, managing these local accounts will add additional
administrative burden to your administrators.

Regards,

Salvador Manaois III
C|EH MCSE MCSA MCITP|Server/Enterprise Admin
Bytes & Badz : http://badzmanaois.blogspot.com

On Tue, Nov 11, 2008 at 4:24 AM, Jon Kibler <Jon.Kibler () aset com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> This may be slightly off topic, but I have a question about GPO scope.
>
> I have a client that has a bunch of sales people who have laptops. When
> they come into their office, they login to the domain. When they are on
> the road, they login to 'this computer.'
>
> The problem that the client is seeing has left me scratching my head
> about how GP works. What is happening is the client has recently set
> some new group policies that do things like specify which name servers
> and other network resources a given OU is to use. Now, when these
> laptops are taken on the road and the user tries to get Internet access,
> it fails. Why? Because the GPO settings are overriding the DHCP settings
> on 'this computer'.
>
> What I don't understand is why DOMAIN OU GPOs are being applied outside
> the scope of the domain. If you are not logging into the domain, why are
> the domain GPOs in effect? This doesn't make sense. Has my client
> somehow misconfigured AD?
>
> THANKS!
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkkYmJAACgkQUVxQRc85QlOMSwCeP5JEFlf/yrl4uwh6Cbl7AFnm
> ZaoAnRRW4d0eFTlMRAQIH6mJR/JpHL3x
> =t05p
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.