I was thinking about my next blog entry a few weeks back. My research took me through various Web sites, message threads, and articles. Naturally, I wanted something not only pertinent to Group Policy, but also exciting and new (to quote the Love Boat theme song) to many in GP Land. It then came to me in e-mail: How do I dial a VPN connection before logging on? Okay, the question was actually more Group Policy focused. I'm translating to widen the audience (and the search engine <grin>).
The scenario in question is common. You have a large deployment of laptop users, most of whom log on to their computers using cached credentials. One problem in this scenario is Windows does not apply Group Policy at logon because it cannot contact a domain controller. Also, it prevents Group Policy from foreground processing. Foreground processing is important to an environment because Group Policy can only process scripts, software installation, and folder redirection during foreground processing of Group Policy. Other Group Policy extensions apply settings without the foreground processing requirement (see the Core Group Policy Technical Reference for more informaiton on foreground and background processing http://go.microsoft.com/fwlink/?LinkId=55492). So, how can you force foreground processing for remote users? Windows XP provided an answer to this problem in the form of a check box on the logon dialog box named Log on using dial-up connections.
Selecting this check box allows Windows XP to establish a network connection to a remote network before performing the user logon. This is a common solution used to allow remote computers to process Group Policy (assuming the network connection dialed allows the remote computer to find a domain controller for the domain). But where is the check box in Windows Vista? It's not there, but the feature is. Here is how to achieve the same results in Windows Vista that you can achieve in Windows XP.
For starters, the computer must be a member of the domain. Next, you'll want to log on to the computer with a user account equivalent to the local administrator.
Create a system dial-up connection in Windows Vista
- Open Control Panel. Click Network and Sharing Center.
- Click Set up a connection or network, and then click Connect to a workplace.
- Click Use my Internet connection (VPN).
- Type the Internet address or FQDN of your VPN server in the Internet address box. Type a suitable name of the connection in the Destination name box.
- Select the Allow other people to use this connection check box. It is important that you select this box. Doing so allows Windows to display the connection before logon. Optionally, you can select Don't connect now; just set it up so I can connect later.
- Complete the wizard and save the connection. Restart the computer.
Finding the equivalent of "Log on using dial-up connections"
- Press CTRL+ALT+DELETE.
- Windows displays the logon screen for the user that last logged on. Press ESC or click Switch User to view other logon choices.
- A blue button appears to the left of the red Shutdown button. Click the blue button. Windows displays a list of system-owned dial-up connections for you to choose, if there is more than one. Otherwise, Windows uses the single system-owned connection.
- If prompted, type the user name and password for the dial-up connection and click the round blue button to connect.
- Windows then establishes a connection to the remote network using the provided credentials. It uses these same credentials when logging on to the domain.
That's how you log on using dial-up connections and how to force foreground processing of Group Policy using Windows Vista. Now, your remote clients can authenticate with your domain when they are on the road, and you can expect foreground Group Policy to occur-- unlike cached logons.
Mike Stephens, Technical Writer, Group Policy