AD Question

[Rampage1329]

I don't want to call complete BS on the ad admin, so I will ask you if what this user is saying make sense. It sounds to me like he is being lazy.

I work in a school environment, and have been pushing to have autoplay disabled at my schools. It seems to be a farely straightforward request, only the ad admin says it can't be applied to wireless computers because unless they have a wireless controller at the campus they get the IP address from our main datacenter. ( I know this to be true) He says they can't isolate those machines to apply the update. It seems the point of active directory is to restrict access for users not based by machine but by user so the access remains consistent at whichever location they log onto.

My question is can the ad admin really not disable the autoplay feature by user?

 

[Shambler]

I believe this can be done by GP. As long as the User Account, or Computer Account has that GP applied to it, it doesn't matter where they are connected within the network. Wireless or not, the GP will apply.

In before the move!!!!!!!

-edit- Take all this with a grain of salt. I have barely even started working with GP/SCCM.

 

[Riccochet]

Why is this in the Cars/Motor Vehicles sub-forum?

 

[Rampage1329]

i pmed a mod to have it moved, i just posted it in the wrong forum

 

[Rags]

i pmed a mod to have it moved, i just posted it in the wrong forum

Took care of it for you, hope this is the appropriate forum for you, if not let the mod of this forum know.

 

[B1zz]

if you just look at the AD side of things, each computer account can be moved into a specific OU that has group policy set to disable autoplay, or whatever else you care to turn off, restrict etc etc....theoretically this should work no matter the IP address.

in comes modern routing, firewalls etc that may cause a computer to not be able to reach a domain controller and thereby not update its group policies...

without knowing alot about your infrastructure, i'd say there is a sliver of truth in regards to the wireless clients....the ad admin still sounds only half informed though(as am I, working with what little insight i have , grain of salt to all )

 

[gimp]

are all the laptops that are connecting wirelessly, actually joined to the domain? ie, school property?

 

[Rampage1329]

yeah, but i think wireless devices unless they have the cisco wan manager will get the ip address from a giant wireless pool. So it might not be able to hit that schools domain controller. All computers join the domain.

 

[xenios]

If the wireless clients cannot communicate with the domain controller then you obviously are not going to get new gpo settings. VPN would have to be used in that case. Users that have logged into the laptop within the ad network can also do so out of the network as user credentials are stored after first login.

As for if you can disable autorun in the user context, yes you can. If the setting exists in both computer and user context, the computer context always takes precedence.

 

[Rampage1329]

If the wireless clients cannot communicate with the domain controller then you obviously are not going to get new gpo settings. VPN would have to be used in that case. Users that have logged into the laptop within the ad network can also do so out of the network as user credentials are stored after first login.

As for if you can disable autorun in the user context, yes you can. If the setting exists in both computer and user context, the computer context always takes precedence.

i think it just connects to another domain controller. Since each school has one, and i presume there is one in the main office. It wouldn't suprise me if things weren't setup correctly here.

 

[xenios]

Then it is up to how the district or whatever has their infrastructure setup, if there is no forest or domain trust setup then yea It will never work unless they come home.

 

[gimp]

#1 - if the users log in to the domain with an AD acct, and
#2 - the IP received from DHCP includes the DC as a DNS server, and
#3 - the computer can communicate with the DC

then yes, user GPO settings should get applied.
computer GPO settings will get applied regardless of #1, as long as 2 and 3 are true.

but this is also assuming there is only 1 domain; for a multi-domain forest there needs to be trusts set up between the domains for it to work.

edit: also, just because GPO's aren't applied at boot up, does not mean they are never applied. GPO's are refreshed on the computers at an interval (I believe 15 min? maybe it's once every 24hrs or something?)

 

[jpochedl]

also, just because GPO's aren't applied at boot up, does not mean they are never applied. GPO's are refreshed on the computers at an interval (I believe 15 min? maybe it's once every 24hrs or something?)

GPO's on client computers are refreshed at 90 minute intervals, +/- a random offset (up to 30 minutes by default).. So, clients will refresh GPOs generally between 60 to 120 minutes.... Both the refresh interval and the offset can be adjusted through group (or local) policy.

Note that DC's have different defalts than clients.

 

[Rampage1329]

thanks for all of the help, its clear i don't know enough to call out the ad admin, but it does definatly seem like he should have been able to apply a gpo