Connecting to a domain wirelessly

[Delvis]

If possible, hook up the netbook via Ethernet and have the user logon. Unplug the cable and reboot. See if they can then logon without the rigmarole. XP should cache the credentials after logging on via the wired LAN.

Sadly it wont work, as it happens all too often, people are always coming in as they cant log on wireless...So they have to come to the office as it has a wired dock here



It's getting ridiculous now...aghhh

EDIT: Maybe its something to do with, as you say, profile caching? =/ ie when user logs off it resets something?

 

[Delvis]

Hmm...Noticed this in Group Policy...

Which is within something called 'Roaming User GPO'...

Now this, is what all staff laptops are part of I believe (in a computer sense not a user sense), as the 'scope' is set on Staff...However, the root account is a member of 'Staff' but that is on a user level as opposed to a computer level...

Would this cause something do you think? Or am I reading it wrong entirely?

 

[SiriusB]

That only applies to whether files are available to the user in redirected folders if they are not connected to the server.

EDIT: Make sure the netbooks have caching enabled. Open regedit and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Find the cachedlogonscount key and make sure its value is not 0. By default this is usually set to 10.

 

[Delvis]

That only applies to whether files are available to the user in redirected folders if they are not connected to the server.

EDIT: Make sure the netbooks have caching enabled. Open regedit and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Find the cachedlogonscount key and make sure its value is not 0. By default this is usually set to 10.

Hmm okay...Is this anything to do with offline files though? The caching? Because I can log in, but im within the domain admins group...My boss thinks its a per system thing but it cant be if the admin can log on and another user cant

EDIT:

Basically, everything I can see, is to do on a system basis, other than the thing i linked to...Unless there is something in the Network Policy Server settings...but god knows

EDIT 2: its set to 50 on the system im on now

 

[SiriusB]

Domain Admins may be a special exception to allow access in the event of no caching and no way of connecting to the DC.

The credentials caching can be set through GPO at:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon: Number of previous logons to cache.

Though taking a quick look at the reg key I gave above should tell you if it has been turned off or not.

 

[Delvis]

Domain Admins may be a special exception to allow access in the event of no caching and no way of connecting to the DC.

The credentials caching can be set through GPO at:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon: Number of previous logons to cache.

Though taking a quick look at the reg key I gave above should tell you if it has been turned off or not.

Thats what i'm thinking, being a member of the Domain Admins may override all other settings...Which is why im getting him to create me a test account so i can replicate this...I think its bizzarre how it works to be quite frank You should be able to log onto the network wireless (on the internal wireless obviously...which you can connect to unless you are part of that GPO)

And looking on one of the GPO's where you stated to look, under Interactive logon its got Interactive logon: Do not display last user name - Enabled...so god knows what going on there, ill look through some of the other GPO, as there are bout 20 odd across the site

EDIT: And as far as I can tell, the wireless GPO is setup just so you connect to that wireless...but something else is stopping you from doing that until after an admin has logged in wirelessly =/

 

[Delvis]

Basically, from what I can see, its done on a user basis, as opposed to a workstation/system basis...otherwise it would be the same on all accounts? Unless as stated its something to do with the domain admin user group?

However in GPO there are no linked group policys in there...brain hurting

 

[SiriusB]

And looking on one of the GPO's where you stated to look, under Interactive logon its got Interactive logon: Do not display last user name - Enabled...so god knows what going on there, ill look through some of the other GPO, as there are bout 20 odd across the site

Seems like a simple enough setting, fella. When you press CTRL+ALT+DEL to logon, usually the last person to use the machine will have their username already in the username field. The above GPO settings stops that. Nothing sinister or alarming about it!

EDIT: And as far as I can tell, the wireless GPO is setup just so you connect to that wireless...but something else is stopping you from doing that until after an admin has logged in wirelessly =/

XP wont connect to any wireless until a user logs in, unless there is a service/driver installed that allows the machine to connect prior to log on. Intel are the only ones I know for sure who do this. The only other way around it is cached credentials.

Why you need to log on as an Admin first is a mystery to me. What happens if you make a user a local admin on the machine? Can they log in without an Admin logging in first?

After several replies you still haven't told me if the cachedlogonscount is set to 0 or not!

 

[Delvis]

XP wont connect to any wireless until a user logs in, unless there is a service/driver installed that allows the machine to connect prior to log on. Intel are the only ones I know for sure who do this. The only other way around it is cached credentials.

But how do you cache the credentials? via the cachedlogonscount setting? Not sure what settings does this though on the intel wirelss...ill have a gander

Why you need to log on as an Admin first is a mystery to me. What happens if you make a user a local admin on the machine? Can they log in without an Admin logging in first?

I know all users are under Staff, which has local Admin rights...?

After several replies you still haven't told me if the cachedlogonscount is set to 0 or not!

I did in post 24 i believe

Delvis: EDIT 2: its set to 50 on the system im on now

 

[SiriusB]

OK my bad, I must have missed your edit!

The cachedlogonscount sets how many different logons Windows will cache. Zero disables caching. Windows should cache the credentials automagically after a successful login.

The Intel wireless doesn't do anything special, other than usually letting the machine connect to the AP before someone logs on - which negates the need for caching in the first place.

Did you check the value of cachedlogonscount with a normal user account, rather than admin? If it is a GPO thing, it could well be enabled for the Admin and then disabled for the user. Though the best way of telling is to run the Resultant Policy wizard in the Group Policy Management MMC. It will tell you exactly which settings a user/group/pc/whatever is getting once all GPOs linked to them are combined.

 

[Delvis]

OK my bad, I must have missed your edit!

The cachedlogonscount sets how many different logons Windows will cache. Zero disables caching. Windows should cache the credentials automagically after a successful login.

The Intel wireless doesn't do anything special, other than usually letting the machine connect to the AP before someone logs on - which negates the need for caching in the first place.

Did you check the value of cachedlogonscount with a normal user account, rather than admin? If it is a GPO thing, it could well be enabled for the Admin and then disabled for the user. Though the best way of telling is to run the Resultant Policy wizard in the Group Policy Management MMC. It will tell you exactly which settings a user/group/pc/whatever is getting once all GPOs linked to them are combined.

No worries, i did edit it twice

thats why I think this intel thing isnt going to change much, as it works for Admins (o the network, not local admins) but not for Users...So that makes that void pretty much to me?

No, I haven't checked it on a normal user account yet, i'm getting my boss to create a user account for me now so that i can actually test the issue properly, otherwise i have to steal a users account, which isn't feasable everyday But now that you mention it, I guess the GPO could be doing something like how you descrbed it, so i'll give it a whirl

Not actually heard of Resultant policy so ill look at that as well

 

[Delvis]

Well...

Currently, each laptop is put into a group (Laptops / staff or student) and within the Laptop group there is a GPO for the wireless, then within the staff group there are the following three GPO's:

Delete cached Profiles (45 days)
Roaming User GPO
WSUS Staff Laptops Policy

See now, the cached GPO shouldnt mean anythin anything, as admins can log in fine, but there arent any other GPO's assigned to where the Admin users are located...

Its all annoying now, unless anybody knows anything about how NPs works on the server? =/

 

[Delvis]

Would anything in here be of revelance? :

Ability to change properties of an all user remote access connection Disabled
Ability to delete all user remote access connections Disabled
Ability to Enable/Disable a LAN connection Disabled
Ability to rename all user remote access connections Disabled
Ability to rename LAN connections Disabled
Ability to rename LAN connections or remote access connections available to all users Disabled

Prohibit access to properties of a LAN connection Enabled
Prohibit access to properties of components of a LAN connection Enabled
Prohibit access to properties of components of a remote access connection Enabled
Prohibit access to the Advanced Settings item on the Advanced menu Enabled
Prohibit access to the New Connection Wizard Enabled
Prohibit access to the Remote Access Preferences item on the Advanced menu Enabled
Prohibit adding and removing components for a LAN or remote access connection Enabled
Prohibit changing properties of a private remote access connection Enabled
Prohibit connecting and disconnecting a remote access connection Enabled
Prohibit deletion of remote access connections Enabled
Prohibit Enabling/Disabling components of a LAN connection Enabled
Prohibit renaming private remote access connections Enabled
Prohibit TCP/IP advanced configuration Enabled
Prohibit viewing of status for an active connection Enabled

 

[Delvis]

Right then, scrap all that, apparently there are no group policys that affect the wireless logon...Its all done on IAS (NPS as its 2008 server yes?)

So no idea now, as i cant really see anthingwithin the NPS that affects users individually... meh

 

[Delvis]

Hm...found this article: http://support.microsoft.com/kb/969111

That actually seems to have fixed the issue...Awaiting further feedback from the user