You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials (i.e. the user's password) but was not sure if it would for the group membership.
That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection (i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet <[EMAIL PROTECTED]> wrote:
We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. ------------------------------ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, November 29, 2006 11:56 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Updating cached credentials Curious. After trying those, how did you validate that the user's group membership wasn't affected? On 11/29/06, Ken Cornetet < [EMAIL PROTECTED]> wrote: > > Ok, this is really strange... > > I tried Al Munick's suggestion of having the user change their password > via a three-finger salute. That did not update cached group membership. > > I tried Guy Teverovsky's suggestion to do a "runas" while VPN connected. > It did not update cached group membership. > > James Aurther Wells suggested that the group membership would be updated > > by a workstation process discussed in KB824302. We connected via VPN and > let things sit for 4 hours - no cached group membership update. > > Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed me > to an ActiveX control that forces an update of cached credentials on the > workstation when the Psynch web app is used to change passwords. After > configuring Psynch to run the ActiveX control, the user gets the group > policy that was controlled by group membership. > > Now this is where things gets weird: GPRESULT shows that the policy IS > applied, but does NOT show the user as being a member of the group that > gets the policy! Huh? > > Now my question is where does GPRESULT look for group membership > information? It does not appear to be looking the same place that the > group policy processing engine looks! > > -----Original Message----- > From: Ken Cornetet > Sent: Wednesday, November 22, 2006 11:12 AM > To: ActiveDir@mail.activedir.org > Subject: Updating cached credentials > > Is there a way to force updating of cached credentials on an XP > workstation? We have several users that seldom (if ever) connect to the > corporate network directly. Instead, they log in (XP sp2) using cached > credentials and connect via a Nortel VPN. > > We have several group policies that are filtered by group membership. > The problem is that the group membership seems to be cached on the > workstation, and is never updated to reflect the new membership, and > group policy is never applied. > > Is there any mechanism for forcing this update? > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ >
