Your options for circumventing this
annoyance are somewhat limited, but you
can get creative. You can try using site-linked
GPOs to apply alternative settings to a computer
or user connecting to a DC from an IP
subnet that’s known to be unique to VPN clients.
The problem with this approach is that
site-linked GPOs are lower in the processing
hierarchy than domain and organizational
unit–linked GPOs that the user is likely to
be using. Even if site-linked GPOs that relax
lockdowns are in effect, they will be overridden
by other GPOs.
You can get around the problem by
setting the link on the site-linked GPO to
Enforced. The Enforced flag causes Group
Policy processing to say, “I don’t care what
downstream GPOs might conflict with this
site-linked GPO; I want the site-linked GPO
settings to win.” The downside to using
Enforced is that site-linked GPOs can be difficult
to manage because sites span multiple
domains. If managing site-linked GPOs isn’t
a problem for you, then an enforced sitelinked
GPO approach isn’t bad.
Another creative solution is to use the
new Group Policy Preferences feature.
Group Policy Preferences let you define
GPO settings, then, in an approach called
item-level targeting, use a variety of granular
filters to apply setting to specific computers.
One filter you can apply is IP address range,
as Figure 1 shows.
By filtering on the range of IP addresses
assigned to VPN clients, you can apply registry
policies within Group Policy Preferences
that override settings you’ve specified in the
Administrative Templates policy. Because
the Group Policy Preferences registry extension
runs after the Administrative Templates
extension, this approach overwrites Administrative
Template policy when a computer
or user is on a VPN subnet. The downside
is that you would want the Administrative Template policy to be reapplied when the
user is back on the corporate network, and
that won’t happen unless you force the
Administrative Template policy to run during
every Group Policy refresh cycle.
The bottom line is that although there’s
no ultimate solution to managing mobile
user lockdown, there are some creative
things you can do to help make life easier
for mobile users without removing their
systems from your AD domain.
Living with Group Policy
Group Policy is a powerful tool for managing
desktop configuration, but it can’t help you
in every scenario. And sometimes it can
be downright frustrating to use, as these
examples prove. The good news is that
with the introduction of the Group Policy
Preferences feature, you now have more
features and more flexibility with which to
accomplish your goals. The next time you’re
annoyed about something within Group
Policy, take heart in knowing that with a
script here or a Group Policy Preference
there, you may be able to work around your
problems and still leverage this powerful
technology to get full control over your Windows
desktops and servers.
Darren Mar-Elia
(dmarelia@windowsitpro.com) is
a contributing editor for Windows
IT Pro and is CTO and founder of
SDM Software (www.sdmsoftware.com). He maintains a Group
Policy resource website (www.gpoguy.com) and is coauthor of Microsoft Windows Group Policy
Guide (Microsoft Press).