Thanks Ken! On 12/22/06, Ken Cornetet <[EMAIL PROTECTED]> wrote:
We proved it by running GPRESULT and seeing the group listed as one of the groups the user was a member of. The dialup connection option requires that the Nortel VPN client be installed in what Nortel calls "service mode". Our network folk don't allow that (long story). It isn't an SSL VPN, it is ipsec. ------------------------------ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Thursday, December 21, 2006 3:30 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Updating cached credentials how'd you prove that the user creds were resynched and that the group memberships were appropriate? Saying that, I'm sure that a gina would have solved that issue if you logon via the dial up connection. Have you already tried that method? (that's where you create the vpn as connection you can choose and prior to logon use the "dial up connection" check box for the logon. That implies that you have the alternate GINA installed from Nortel. For your method you specified here, does that work with the ssl vpn? That would greatly interest me if it did. Al On 12/21/06, Ken Cornetet <[EMAIL PROTECTED]> wrote: > > I have found a solution to the problem of updating group information in > cached credentials. Here's how a user would do it (assumes user has admin > rights, sorry) > > Log on with a LOCAL user id. > Establish a VPN connection. > Use ALT+CTRL+DEL to lock the workstation. > Unlock the workstation using your DOMAIN user ID, not the local user ID > (This will cause the local user id to be logged off). > Log in with your domain user ID. > Run GPUDATE /FORCE > > > > ------------------------------ > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *Al Mulnick > *Sent:* Wednesday, November 29, 2006 2:16 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* Re: [ActiveDir] Updating cached credentials > > My suggestion on that is to check with Nortel without mentioning the > psynch control and see what they recommend. > > SSL vpns are by nature a user-mode application but I'm not familiar with > how Nortel recommends to use it. > > As for the gpresult, I'm sorry to say I do not know where it gets it's > information. Might be worth filing a DCR for it to get the information from > the same place that the group policy engine does, though. > > Al > > On 11/29/06, Ken Cornetet <[EMAIL PROTECTED]> wrote: > > > > The three finger salute did NOT result in the GPO being applied. The > > only thing that made the GPO get applied was the Psynch ActiveX control. > > > > We have a recent version of the Nortel VPN client (May 2006). I do not > > know if it is the latest. > > > > Most, if not all security fixes applied to XP clients. > > > > On your last question, I believe you are referring to what Nortel > > calls "service" mode where the VPN client installs itself as a service and > > the user supplies their VPN credentials (we use SecurID) on the NT logon > > screen. Our networking people (they own the VPN and client) will not allow > > it to be used in that manner without testing, and they won't test because > > they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume > > will have the same issue). > > > > ------------------------------ > > *From:* [EMAIL PROTECTED] [mailto: > > [EMAIL PROTECTED] *On Behalf Of *Al Mulnick > > *Sent:* Wednesday, November 29, 2006 12:42 PM > > *To:* ActiveDir@mail.activedir.org > > *Subject: *Re: [ActiveDir] Updating cached credentials > > > > You said the gpresult didn't give you the group membership > > regardless, right? Just that the gpo was applied properly after the three > > finger salute. I do know that the three finger salute method, with Nortel's > > client will cache the user's credentials ( i.e. the user's password) > > but was not sure if it would for the group membership. > > > > That's interesting. > > > > Did you check to be sure you have the latest Nortel client and fixes > > for your XP clients? > > > > One other thing: I suppose it's semantics that we're discussing, but > > have you considered having the user logon using the dial-up connection ( > > i.e. the Nortel client via the GINA method) instead of having the user > > logon first, then establish the vpn? What were the results of that method? > > > > > > > > On 11/29/06, Ken Cornetet <[EMAIL PROTECTED]> wrote: > > > > > > We had the user reboot, login using cached credentials, start the > > > VPN, then run GPRESULT. > > > > > > ------------------------------ > > > *From:* [EMAIL PROTECTED] [mailto: > > > [EMAIL PROTECTED] *On Behalf Of *Al Mulnick > > > *Sent:* Wednesday, November 29, 2006 11:56 AM > > > *To:* ActiveDir@mail.activedir.org > > > *Subject:* Re: [ActiveDir] Updating cached credentials > > > > > > Curious. After trying those, how did you validate that the user's > > > group membership wasn't affected? > > > > > > > > > > > > On 11/29/06, Ken Cornetet < [EMAIL PROTECTED]> wrote: > > > > > > > > Ok, this is really strange... > > > > > > > > I tried Al Munick's suggestion of having the user change their > > > > password > > > > via a three-finger salute. That did not update cached group > > > > membership. > > > > > > > > I tried Guy Teverovsky's suggestion to do a "runas" while VPN > > > > connected. > > > > It did not update cached group membership. > > > > > > > > James Aurther Wells suggested that the group membership would be > > > > updated > > > > by a workstation process discussed in KB824302. We connected via > > > > VPN and > > > > let things sit for 4 hours - no cached group membership update. > > > > > > > > Since I mentioned that we used Psynch, Idan Shoham of M-Tech > > > > pointed me > > > > to an ActiveX control that forces an update of cached credentials > > > > on the > > > > workstation when the Psynch web app is used to change passwords. > > > > After > > > > configuring Psynch to run the ActiveX control, the user gets the > > > > group > > > > policy that was controlled by group membership. > > > > > > > > Now this is where things gets weird: GPRESULT shows that the > > > > policy IS > > > > applied, but does NOT show the user as being a member of the group > > > > that > > > > gets the policy! Huh? > > > > > > > > Now my question is where does GPRESULT look for group membership > > > > information? It does not appear to be looking the same place that > > > > the > > > > group policy processing engine looks! > > > > > > > > -----Original Message----- > > > > From: Ken Cornetet > > > > Sent: Wednesday, November 22, 2006 11:12 AM > > > > To: ActiveDir@mail.activedir.org > > > > Subject: Updating cached credentials > > > > > > > > Is there a way to force updating of cached credentials on an XP > > > > workstation? We have several users that seldom (if ever) connect > > > > to the > > > > corporate network directly. Instead, they log in (XP sp2) using > > > > cached > > > > credentials and connect via a Nortel VPN. > > > > > > > > We have several group policies that are filtered by group > > > > membership. > > > > The problem is that the group membership seems to be cached on the > > > > workstation, and is never updated to reflect the new membership, > > > > and > > > > group policy is never applied. > > > > > > > > Is there any mechanism for forcing this update? > > > > List info : http://www.activedir.org/List.aspx > > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > > List archive: > > > > http://www.mail-archive.com/activedir@mail.activedir.org/ > > > > > > > > > > > > >
