Sign in with
Sign up | Sign in
Your question

Block GPO on IP address

Last response: in Windows 2000/NT
Share
Anonymous
August 10, 2004 1:38:19 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi all,

We have a unique European domain with 20 sites link through the WAN. We
use GPO's to deploy application. My problem is that when a user based
in Switzerland connects to a site elsewhere and there is a software
update (like MS Office) the installation starts and takes ages.

Is there a way to block GPO deployment by IP address or better, to just
allow GPO deployment based on client IP address. Please note that as we
have a Windows 2000 domain, we cannot use WMI filtering.

Thanks in advance

Axel

--
This is an automatic signature of MesNews.
Site : http://mesnews.no-ip.com

More about : block gpo address

August 10, 2004 1:38:20 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Just an idea--do you have multiple sites/domains in AD or
is it just one large domain with 20 physical disparate
locations?

Ken

>-----Original Message-----
>Hi all,
>
>We have a unique European domain with 20 sites link
through the WAN. We
>use GPO's to deploy application. My problem is that when
a user based
>in Switzerland connects to a site elsewhere and there is
a software
>update (like MS Office) the installation starts and
takes ages.
>
>Is there a way to block GPO deployment by IP address or
better, to just
>allow GPO deployment based on client IP address. Please
note that as we
>have a Windows 2000 domain, we cannot use WMI filtering.
>
>Thanks in advance
>
>Axel
>
>--
>This is an automatic signature of MesNews.
>Site : http://mesnews.no-ip.com
Anonymous
August 10, 2004 9:11:24 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You might want to look at slow link detection for Group Policy. You can change the
setting at when W2K considers a link slow link and how Group Policy is handled over a
slow link detection. Apparently your link to the sites are fast enough to not be
considered slow link. The link below will explain more. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...


"Axel Boggio" <axel.boggio@str_yker.com> wrote in message
news:mn.52427d4885ac4c26.12023@stryker.com...
> Hi all,
>
> We have a unique European domain with 20 sites link through the WAN. We
> use GPO's to deploy application. My problem is that when a user based
> in Switzerland connects to a site elsewhere and there is a software
> update (like MS Office) the installation starts and takes ages.
>
> Is there a way to block GPO deployment by IP address or better, to just
> allow GPO deployment based on client IP address. Please note that as we
> have a Windows 2000 domain, we cannot use WMI filtering.
>
> Thanks in advance
>
> Axel
>
> --
> This is an automatic signature of MesNews.
> Site : http://mesnews.no-ip.com
>
Related resources
Anonymous
August 11, 2004 5:14:49 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Ken,

This is single domain
Ken submitted this idea :
> Just an idea--do you have multiple sites/domains in AD or
> is it just one large domain with 20 physical disparate
> locations?
>
> Ken
>
>> -----Original Message-----
>> Hi all,
>>
>> We have a unique European domain with 20 sites link through the WAN. We
>> use GPO's to deploy application. My problem is that when a user based
>> in Switzerland connects to a site elsewhere and there is a software
>> update (like MS Office) the installation starts and takes ages.
>>
>> Is there a way to block GPO deployment by IP address or better, to just
>> allow GPO deployment based on client IP address. Please note that as we
>> have a Windows 2000 domain, we cannot use WMI filtering.
>>
>> Thanks in advance
>>
>> Axel
>>
>> --
>> This is an automatic signature of MesNews.
>> Site : http://mesnews.no-ip.com

--
This is an automatic signature of MesNews.
Site : http://mesnews.no-ip.com
Anonymous
August 11, 2004 5:17:00 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Ken,

This is multiple sites in one domain.

The problem is that our link is fast enough to apply the policy (and
detect it as a slow link) but too slow to deploy application.

Axel

After serious thinking Ken wrote :
> Just an idea--do you have multiple sites/domains in AD or
> is it just one large domain with 20 physical disparate
> locations?
>
> Ken
>
>> -----Original Message-----
>> Hi all,
>>
>> We have a unique European domain with 20 sites link through the WAN. We
>> use GPO's to deploy application. My problem is that when a user based
>> in Switzerland connects to a site elsewhere and there is a software
>> update (like MS Office) the installation starts and takes ages.
>>
>> Is there a way to block GPO deployment by IP address or better, to just
>> allow GPO deployment based on client IP address. Please note that as we
>> have a Windows 2000 domain, we cannot use WMI filtering.
>>
>> Thanks in advance
>>
>> Axel
>>
>> --
>> This is an automatic signature of MesNews.
>> Site : http://mesnews.no-ip.com

--
This is an automatic signature of MesNews.
Site : http://mesnews.no-ip.com
Anonymous
August 16, 2004 1:42:58 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Axel,

What exactly do you mean? I assume that you mean that the link is too fast
to be considered a slow link? Please remember that you can tell Active
Directory what the 'slow' in the slow link is. If you make no changes(
read: the default ) then it is 500kbps.....

Cary


"Axel Boggio" <axel.boggio@str_yker.com> wrote in message
news:mn.5b1d7d48398501f1.12023@stryker.com...
> Hi Ken,
>
> This is multiple sites in one domain.
>
> The problem is that our link is fast enough to apply the policy (and
> detect it as a slow link) but too slow to deploy application.
>
> Axel
>
> After serious thinking Ken wrote :
> > Just an idea--do you have multiple sites/domains in AD or
> > is it just one large domain with 20 physical disparate
> > locations?
> >
> > Ken
> >
> >> -----Original Message-----
> >> Hi all,
> >>
> >> We have a unique European domain with 20 sites link through the WAN.
We
> >> use GPO's to deploy application. My problem is that when a user based
> >> in Switzerland connects to a site elsewhere and there is a software
> >> update (like MS Office) the installation starts and takes ages.
> >>
> >> Is there a way to block GPO deployment by IP address or better, to
just
> >> allow GPO deployment based on client IP address. Please note that as
we
> >> have a Windows 2000 domain, we cannot use WMI filtering.
> >>
> >> Thanks in advance
> >>
> >> Axel
> >>
> >> --
> >> This is an automatic signature of MesNews.
> >> Site : http://mesnews.no-ip.com
>
> --
> This is an automatic signature of MesNews.
> Site : http://mesnews.no-ip.com
>
Anonymous
August 16, 2004 2:44:34 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Axel,

I assume that you mean that this is a single domain that covers 20 Sites?
If this is the case then there are several possibilities.

First and foremost you need to make sure that a client in Site17 is going to
authenticate against a Domain Controller in Site17 and that a client in
Site04 is going to authenticate against a Domain Controller in Site04.
Please take a look at the following MSKB Article:

http://support.microsoft.com/?id=306602

You do not tell us if you are using the Hub and Spoke or some other method.
Also, do you have a Domain Controller in each Site ( preferably two )? How
many users are in each Site? What are the connection speeds between the
Sites? Also, did you disable the KCC and create everything yourself or is
the KCC doing everything ( with it's friend the ISTG )? How is you Domain
organized - meaning, what does the Active Directory Users and Computers MMC
look like ( do you have an OU for each Site or for each Country or what )?

I saw something in another post that is interesting. I would normally make
a vanilla suggestion that you create a Site GPO for the software deployment.
Granted, this is a possibility. Maybe not the best way, though.

You can put the .msi file in a directory structure on a local Server (
either a Domain Controller that is acting as a File Server or a Member
Server that is acting as a File Server ), create the GPO at the appropriate
level ( either Domain or OU ), point to the .msi file on that Site's local
Server and use Security Group Filtering ( whereby you remove the
Authenticated Users from the Security Tab and create a Security Group and
populate it with the user account objects of the users in that particular
Site - make sure to give that group both the READ and APPLY GROUP POLICY
rights ). Here is an example:

Let's look at the Zuerich, Bern and Basel Sites. Let's say that you have
two Domain Controllers in each Site: ZURDC01 and ZURDC02 in Zuerich, BRNDC01
and BRNDC02 in Bern and BSLDC01 and BSLDC02 in Basel. Say that there are 80
users in each Site and we are deploying Office XP via GPO to all of your
users ( advanced Assigned to the user configuration side so that you can
make use of .mst file ). Furthermore, let's say that you have created an OU
for each location ( Site ).

So, for the Zuerich Site you would do an Administrative Installation of
Office XP on ZURDC02 in the shared ZUROFFXP shared folder. When you create
the GPO for your Zuerich users you *could* link it to the Zuerich OU and
when you tell AD where to look you would use \\ZURDC02\ZUROFFXP\data1.msi as
the path ( notice that this is a local server for that Site ) and you would
remove the AUTHENTICATED USERS group from the GPO security and create a
Security Group ( ZuerichUsers or whatever you want to call it ) and make
each user account object from the Zuerich Site a member of that security
group. You would replace the AUTHENTICATED USERS group with this group (
ZuerichUsers ) and make sure to give that group both the READ and APPLY
GROUP POLICY rights.

For your Bern Site you would do an Administrative Installation of Office XP
on BRNDC02 in the shared BRNOFFXP shared folder. When you create the GPO
for your Bern users you *could* link it to the Bern OU and when you tell AD
where to look you would use \\BRNDC02\BRNOFFXP\data1.msi as the path (
again, notice that it is a local server for that Site ) and you would remove
the AUTHENTICATED USERS group from the GPO security and create a security
group ( BernUsers ) and make each user account object from the Bern Site a
member of that security group. You would replace the AUTHENTICATED USERS
group with BernUsers and give that group the READ and APPLY GROUP POLICY
rights.

For your Basel Site you would do an Administrative Installation of Office XP
on BSLDC02 in the shared folder BSLOFFXP. I think that you see from the
above two examples of what you *could* do....

The key points to this method are that the Administrative Installation is on
a local ( read: local to each respective Site ) and that we are using a
Security Group to filter the GPO. You could link these GPOs either to the
domain or to an OU....depending on how you have things set up. You also
have the option of doing this to the user configuration side or to the
computer configuration side.

However, this is something to consider.

I would first focus on getting everything in AD correct with respect to
logon requests being authenticated by the correct Domain Controller(s).

HTH,

Cary



"Axel Boggio" <axel.boggio@str_yker.com> wrote in message
news:mn.5b1a7d486f5dc068.12023@stryker.com...
> Hi Ken,
>
> This is single domain
> Ken submitted this idea :
> > Just an idea--do you have multiple sites/domains in AD or
> > is it just one large domain with 20 physical disparate
> > locations?
> >
> > Ken
> >
> >> -----Original Message-----
> >> Hi all,
> >>
> >> We have a unique European domain with 20 sites link through the WAN.
We
> >> use GPO's to deploy application. My problem is that when a user based
> >> in Switzerland connects to a site elsewhere and there is a software
> >> update (like MS Office) the installation starts and takes ages.
> >>
> >> Is there a way to block GPO deployment by IP address or better, to
just
> >> allow GPO deployment based on client IP address. Please note that as
we
> >> have a Windows 2000 domain, we cannot use WMI filtering.
> >>
> >> Thanks in advance
> >>
> >> Axel
> >>
> >> --
> >> This is an automatic signature of MesNews.
> >> Site : http://mesnews.no-ip.com
>
> --
> This is an automatic signature of MesNews.
> Site : http://mesnews.no-ip.com
>
Anonymous
August 16, 2004 2:52:31 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Looks like I forgot to mention that it can not be considered a slow link (
as you correctly stated ) as Software Deployment is one of the 'GPOs' that
is -NOT- applied over a slow link!

HTH,

Cary

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:uSmXdJzgEHA.592@TK2MSFTNGP11.phx.gbl...
> Axel,
>
> What exactly do you mean? I assume that you mean that the link is too
fast
> to be considered a slow link? Please remember that you can tell Active
> Directory what the 'slow' in the slow link is. If you make no changes(
> read: the default ) then it is 500kbps.....
>
> Cary
>
>
> "Axel Boggio" <axel.boggio@str_yker.com> wrote in message
> news:mn.5b1d7d48398501f1.12023@stryker.com...
> > Hi Ken,
> >
> > This is multiple sites in one domain.
> >
> > The problem is that our link is fast enough to apply the policy (and
> > detect it as a slow link) but too slow to deploy application.
> >
> > Axel
> >
> > After serious thinking Ken wrote :
> > > Just an idea--do you have multiple sites/domains in AD or
> > > is it just one large domain with 20 physical disparate
> > > locations?
> > >
> > > Ken
> > >
> > >> -----Original Message-----
> > >> Hi all,
> > >>
> > >> We have a unique European domain with 20 sites link through the WAN.
> We
> > >> use GPO's to deploy application. My problem is that when a user
based
> > >> in Switzerland connects to a site elsewhere and there is a software
> > >> update (like MS Office) the installation starts and takes ages.
> > >>
> > >> Is there a way to block GPO deployment by IP address or better, to
> just
> > >> allow GPO deployment based on client IP address. Please note that as
> we
> > >> have a Windows 2000 domain, we cannot use WMI filtering.
> > >>
> > >> Thanks in advance
> > >>
> > >> Axel
> > >>
> > >> --
> > >> This is an automatic signature of MesNews.
> > >> Site : http://mesnews.no-ip.com
> >
> > --
> > This is an automatic signature of MesNews.
> > Site : http://mesnews.no-ip.com
> >
>
>
!