We proved it by running GPRESULT and seeing the group listed as one of the groups the user was a member of. The dialup connection option requires that the Nortel VPN client be installed in what Nortel calls "service mode". Our network folk don't allow that (long story). It isn't an SSL VPN, it is ipsec.
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, December 21, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials how'd you prove that the user creds were resynched and that the group memberships were appropriate? Saying that, I'm sure that a gina would have solved that issue if you logon via the dial up connection. Have you already tried that method? (that's where you create the vpn as connection you can choose and prior to logon use the "dial up connection" check box for the logon. That implies that you have the alternate GINA installed from Nortel. For your method you specified here, does that work with the ssl vpn? That would greatly interest me if it did. Al On 12/21/06, Ken Cornetet <[EMAIL PROTECTED]> wrote: I have found a solution to the problem of updating group information in cached credentials. Here's how a user would do it (assumes user has admin rights, sorry) Log on with a LOCAL user id. Establish a VPN connection. Use ALT+CTRL+DEL to lock the workstation. Unlock the workstation using your DOMAIN user ID, not the local user ID (This will cause the local user id to be logged off). Log in with your domain user ID. Run GPUDATE /FORCE ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials My suggestion on that is to check with Nortel without mentioning the psynch control and see what they recommend. SSL vpns are by nature a user-mode application but I'm not familiar with how Nortel recommends to use it. As for the gpresult, I'm sorry to say I do not know where it gets it's information. Might be worth filing a DCR for it to get the information from the same place that the group policy engine does, though. Al On 11/29/06, Ken Cornetet <[EMAIL PROTECTED]> wrote: The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls "service" mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials ( i.e. the user's password) but was not sure if it would for the group membership. That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection ( i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet <[EMAIL PROTECTED]> wrote: We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials Curious. After trying those, how did you validate that the user's group membership wasn't affected? On 11/29/06, Ken Cornetet < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Ok, this is really strange... I tried Al Munick's suggestion of having the user change their password via a three-finger salute. That did not update cached group membership. I tried Guy Teverovsky's suggestion to do a "runas" while VPN connected. It did not update cached group membership. James Aurther Wells suggested that the group membership would be updated by a workstation process discussed in KB824302. We connected via VPN and let things sit for 4 hours - no cached group membership update. Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed me to an ActiveX control that forces an update of cached credentials on the workstation when the Psynch web app is used to change passwords. After configuring Psynch to run the ActiveX control, the user gets the group policy that was controlled by group membership. Now this is where things gets weird: GPRESULT shows that the policy IS applied, but does NOT show the user as being a member of the group that gets the policy! Huh? Now my question is where does GPRESULT look for group membership information? It does not appear to be looking the same place that the group policy processing engine looks! -----Original Message----- From: Ken Cornetet Sent: Wednesday, November 22, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: Updating cached credentials Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/