Setting Policies for Users Who Travel

We're considering the use of Group Policy to lock down computer- and some user-level settings on the workstations in our network. But most of our users are frequently out of the office with their laptops. What happens to the Group Policy settings defined in Active Directory (AD) when users can't access the network?

Computers apply Group Policy by using the gpupdate.exe program. Gpupdate determines all the Group Policy Objects (GPOs) that should be applied to the computer and user, then builds a Resultant Set of Policies (RSP) that reflects the combined settings defined in all applicable GPOs, taking into account the rules of precedence between conflicting settings. Windows then caches the RSP on the local computer. Whenever the computer tries to apply Group Policy on its normal schedule (at boot-up, logon, and about every 90 minutes thereafter) and can't contact a domain controller (DC) to check for updated GPOs, Windows simply reapplies the RSP built from the last refresh of Group Policy when the computer was connected to your network.

Bottom line: A user's computer can remain disconnected from your network indefinitely, and the policies that were in effect the last time the computer successfully refreshed Group Policy will remain in effect. Of course, any subsequent changes you make to Group Policy won't affect the computer until it reconnects to your network.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish