My suggestion on that is to check with Nortel without mentioning the psynch control and see what they recommend.
SSL vpns are by nature a user-mode application but I'm not familiar with how Nortel recommends to use it. As for the gpresult, I'm sorry to say I do not know where it gets it's information. Might be worth filing a DCR for it to get the information from the same place that the group policy engine does, though. Al On 11/29/06, Ken Cornetet <[EMAIL PROTECTED]> wrote:
The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls "service" mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). ------------------------------ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, November 29, 2006 12:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Updating cached credentials You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials ( i.e. the user's password) but was not sure if it would for the group membership. That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection ( i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet <[EMAIL PROTECTED]> wrote: > > We had the user reboot, login using cached credentials, start the VPN, > then run GPRESULT. > > ------------------------------ > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *Al Mulnick > *Sent:* Wednesday, November 29, 2006 11:56 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* Re: [ActiveDir] Updating cached credentials > > Curious. After trying those, how did you validate that the user's > group membership wasn't affected? > > > > On 11/29/06, Ken Cornetet < [EMAIL PROTECTED]> wrote: > > > > Ok, this is really strange... > > > > I tried Al Munick's suggestion of having the user change their > > password > > via a three-finger salute. That did not update cached group > > membership. > > > > I tried Guy Teverovsky's suggestion to do a "runas" while VPN > > connected. > > It did not update cached group membership. > > > > James Aurther Wells suggested that the group membership would be > > updated > > by a workstation process discussed in KB824302. We connected via VPN > > and > > let things sit for 4 hours - no cached group membership update. > > > > Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed > > me > > to an ActiveX control that forces an update of cached credentials on > > the > > workstation when the Psynch web app is used to change passwords. After > > configuring Psynch to run the ActiveX control, the user gets the group > > > > policy that was controlled by group membership. > > > > Now this is where things gets weird: GPRESULT shows that the policy IS > > applied, but does NOT show the user as being a member of the group > > that > > gets the policy! Huh? > > > > Now my question is where does GPRESULT look for group membership > > information? It does not appear to be looking the same place that the > > group policy processing engine looks! > > > > -----Original Message----- > > From: Ken Cornetet > > Sent: Wednesday, November 22, 2006 11:12 AM > > To: ActiveDir@mail.activedir.org > > Subject: Updating cached credentials > > > > Is there a way to force updating of cached credentials on an XP > > workstation? We have several users that seldom (if ever) connect to > > the > > corporate network directly. Instead, they log in (XP sp2) using cached > > credentials and connect via a Nortel VPN. > > > > We have several group policies that are filtered by group membership. > > The problem is that the group membership seems to be cached on the > > workstation, and is never updated to reflect the new membership, and > > group policy is never applied. > > > > Is there any mechanism for forcing this update? > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > >
