Connecting to a domain wirelessly

Caporegime
Joined
7 Nov 2004
Posts
30,197
Location
Buckinghamshire
Hello

We have an issue at work, where most users who take their laptops home in the evening, and come back into work the next day, cannot log into the domain wirelessly....The only way this can be achieved is if someone logs on with an Admin account, and then the users may be able to log in wirelessly...Wired connections have no issue

Could anyone think why this is? The users laptops are XP, the domain box is hosted on a Windows Server 2008 Standard box...

There must be something which causes this? Or is it a known bug? Or would it be down to group policy? Or due to timeouts etc?

Any help or insight is appreciated :)
 
the wireless does not connect until you log in thats the issue

1) some adapters (intel) have (i think) have a service you can install that connects before the user logs in.

2) possibly allow the passwords to be cached locally so the user can log into the domain even when its not there...

Im guessing this is the issue...

Hello

Thank you for the reply, was this from a KB article or just something you are thinking of? :)

That is the issue though, the users cannot log in all the time, however admins can...but why does this make a difference? As the Admin account is actually on the domain and not a local account...
 
Hmm...I really have no idea, its not my network you see, so im still learning it all

I would try one of the other laptops only we have none spare, we have netbooks, but that just worked on my account...So god knows, unless i take over another account and test that

I'll have to have a think...Do you have any idea of that service you was talking about? :)
 
Totally wrong, we have 150+ laptops that connect to a Cisco Ap. When the system starts up it connects to the WiFi at the logon screen. If it fails to get a dhcp address or can't find the WiFi SSID then it won't connect.

Right...but why would the admin account (thats on the domain) always connect but the staff accounts not?
 
some wireless cards have a driver that will start as a service to connect before you log in - notice that when you log in to a mchine the wirlesss its NOT connected and takes a few seconds to link up...

this is because windows wireless only starts after you login, but you can use 3rd party utilities to manage the wirerless instead of the windows one... SOME (not all) wireless venders have a utility that runs as a service you will have to look on the venders web site to see...

if you are not in a position to play about with OU's its probably not fixable (unless you happen to have wireless cards in the machines that the vender has their own service type wireless managment program for)

But if that was the case, I wouldnt be able to log onto the root account, as you need the domain to be available...which it is on the root account
 
you must have something running as a service then, XP connects to wireless after you log in...

Unless there is some tweak / hack / settings to alter -in which case post it as it will fix OP's issue...

Well, according to some posts i have read elsewhere:

If you're using Windows XP, you'll have to use the built-in Wireless Zero configuration utility. Make sure you have the WPA2 patch (machines must have XP SP2 on them first). Wireless Zero is active before logon, but the actual connection to the wireless network is not immediate- it takes about 30 seconds to make a connection. So don't log in as soon as you get the login prompt, because the wireless network connection won't be ready just yet.

It should be working...and as far as I am aware, we use the windows wireless manager (infact im pretty certain) so ill take another look
 
machine or user policy that stops non admin accounts (either because they are in different OU's or because they are non-admin) loggin in if no DC is contactable, or possibly stops the passwords getting cached...

needs loads of testing really, (jut thought if its password cacheing logging in as admin would not help)

i'll have a look at the staff user policy, see if it is active, then check is the staff laptops have a seperate policy (although the latter should be void if one account works...so it 'shouldnt' be a machine policy)

Thanks :)
 
Right...to confirm, if the Admin account log ins, then off, the staff can log in fine...But as soon as they restart etc, they can not log back in until the Admin account logs on

My boss said something about IIS potentially?
 
I'm at a loss to be honest...I've looked through group polcies, looked at NPS (IAS) on the server...But its impossible to know what im looking for
 
If possible, hook up the netbook via Ethernet and have the user logon. Unplug the cable and reboot. See if they can then logon without the rigmarole. XP should cache the credentials after logging on via the wired LAN.

Sadly it wont work, as it happens all too often, people are always coming in as they cant log on wireless...So they have to come to the office as it has a wired dock here

:(

It's getting ridiculous now...aghhh

EDIT: Maybe its something to do with, as you say, profile caching? =/ ie when user logs off it resets something?
 
Last edited:
Hmm...Noticed this in Group Policy...

rlsinfrarlsinfraremoted.jpg


Which is within something called 'Roaming User GPO'...

Now this, is what all staff laptops are part of I believe (in a computer sense not a user sense), as the 'scope' is set on Staff...However, the root account is a member of 'Staff' but that is on a user level as opposed to a computer level...

Would this cause something do you think? Or am I reading it wrong entirely?
 
That only applies to whether files are available to the user in redirected folders if they are not connected to the server.

EDIT: Make sure the netbooks have caching enabled. Open regedit and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Find the cachedlogonscount key and make sure its value is not 0. By default this is usually set to 10.

Hmm okay...Is this anything to do with offline files though? The caching? Because I can log in, but im within the domain admins group...My boss thinks its a per system thing but it cant be if the admin can log on and another user cant

EDIT:

Basically, everything I can see, is to do on a system basis, other than the thing i linked to...Unless there is something in the Network Policy Server settings...but god knows

EDIT 2: its set to 50 on the system im on now :p
 
Last edited:
Domain Admins may be a special exception to allow access in the event of no caching and no way of connecting to the DC.

The credentials caching can be set through GPO at:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon: Number of previous logons to cache.

Though taking a quick look at the reg key I gave above should tell you if it has been turned off or not.

Thats what i'm thinking, being a member of the Domain Admins may override all other settings...Which is why im getting him to create me a test account so i can replicate this...I think its bizzarre how it works to be quite frank :p You should be able to log onto the network wireless (on the internal wireless obviously...which you can connect to unless you are part of that GPO)

And looking on one of the GPO's where you stated to look, under Interactive logon its got Interactive logon: Do not display last user name - Enabled...so god knows what going on there, ill look through some of the other GPO, as there are bout 20 odd across the site :o

EDIT: And as far as I can tell, the wireless GPO is setup just so you connect to that wireless...but something else is stopping you from doing that until after an admin has logged in wirelessly =/
 
Last edited:
Basically, from what I can see, its done on a user basis, as opposed to a workstation/system basis...otherwise it would be the same on all accounts? Unless as stated its something to do with the domain admin user group?

However in GPO there are no linked group policys in there...brain hurting
 
XP wont connect to any wireless until a user logs in, unless there is a service/driver installed that allows the machine to connect prior to log on. Intel are the only ones I know for sure who do this. The only other way around it is cached credentials.

But how do you cache the credentials? via the cachedlogonscount setting? Not sure what settings does this though on the intel wirelss...ill have a gander

Why you need to log on as an Admin first is a mystery to me. What happens if you make a user a local admin on the machine? Can they log in without an Admin logging in first?

I know all users are under Staff, which has local Admin rights...?

After several replies you still haven't told me if the cachedlogonscount is set to 0 or not! :p

I did in post 24 i believe :)

Delvis: EDIT 2: its set to 50 on the system im on now :p
 
OK my bad, I must have missed your edit! :p

The cachedlogonscount sets how many different logons Windows will cache. Zero disables caching. Windows should cache the credentials automagically after a successful login.

The Intel wireless doesn't do anything special, other than usually letting the machine connect to the AP before someone logs on - which negates the need for caching in the first place.

Did you check the value of cachedlogonscount with a normal user account, rather than admin? If it is a GPO thing, it could well be enabled for the Admin and then disabled for the user. Though the best way of telling is to run the Resultant Policy wizard in the Group Policy Management MMC. It will tell you exactly which settings a user/group/pc/whatever is getting once all GPOs linked to them are combined.

No worries, i did edit it twice :p

thats why I think this intel thing isnt going to change much, as it works for Admins (o the network, not local admins) but not for Users...So that makes that void pretty much to me?

No, I haven't checked it on a normal user account yet, i'm getting my boss to create a user account for me now so that i can actually test the issue properly, otherwise i have to steal a users account, which isn't feasable everyday :) But now that you mention it, I guess the GPO could be doing something like how you descrbed it, so i'll give it a whirl

Not actually heard of Resultant policy so ill look at that as well :p
 
Well...

Currently, each laptop is put into a group (Laptops / staff or student) and within the Laptop group there is a GPO for the wireless, then within the staff group there are the following three GPO's:

Delete cached Profiles (45 days)
Roaming User GPO
WSUS Staff Laptops Policy

See now, the cached GPO shouldnt mean anythin anything, as admins can log in fine, but there arent any other GPO's assigned to where the Admin users are located...

Its all annoying now, unless anybody knows anything about how NPs works on the server? =/
 
Would anything in here be of revelance? :

Ability to change properties of an all user remote access connection Disabled
Ability to delete all user remote access connections Disabled
Ability to Enable/Disable a LAN connection Disabled
Ability to rename all user remote access connections Disabled
Ability to rename LAN connections Disabled
Ability to rename LAN connections or remote access connections available to all users Disabled

Prohibit access to properties of a LAN connection Enabled
Prohibit access to properties of components of a LAN connection Enabled
Prohibit access to properties of components of a remote access connection Enabled
Prohibit access to the Advanced Settings item on the Advanced menu Enabled
Prohibit access to the New Connection Wizard Enabled
Prohibit access to the Remote Access Preferences item on the Advanced menu Enabled
Prohibit adding and removing components for a LAN or remote access connection Enabled
Prohibit changing properties of a private remote access connection Enabled
Prohibit connecting and disconnecting a remote access connection Enabled
Prohibit deletion of remote access connections Enabled
Prohibit Enabling/Disabling components of a LAN connection Enabled
Prohibit renaming private remote access connections Enabled
Prohibit TCP/IP advanced configuration Enabled
Prohibit viewing of status for an active connection Enabled
 
Last edited:
Right then, scrap all that, apparently there are no group policys that affect the wireless logon...Its all done on IAS (NPS as its 2008 server yes?)

So no idea now, as i cant really see anthingwithin the NPS that affects users individually... meh :(
 
Back
Top Bottom