cancel
Showing results for 
Search instead for 
Did you mean: 

OAC and "always wait for network" group policy

curtmcgirt_
Not applicable

OAC and "always wait for network" group policy

i work for a division of a much larger company who acquired us. we maintain a separate active directory domain with no trust relationship to theirs. they own all the network equipment and we install OAC on our workstations to get 'approval' from their oddyssey infrastructure. i believe it only checks for the presence of a certain antivirus. there is no user authentication.

 

i'm not an odyssey guy, and i have no control over the switches or the odyssey infrastructure.

 

when our clients boot up, the odyssey process can take some time. i have the group policy "always wait for network" configured on all my workstations. but, since with odyssey, the basic bootup process on the NIC is

 

1. get a dhcp address in a "quarantine" subnet

2. get approved by oddyssey

3. get a dhcp address in the normal corporate subnet

 

windows stops waiting for the "network" after step 1. users get the ctrl+alt+delete screen, they immediately log in. but they are logging in with cached credentials because there is no domain connectivity yet. User group policy doesn't get applied. then sometime after they log in, odyssey approves the machine and the machine gets an ip address in the normal corporate subnet.

 

is this known, understood and acceptable behavior for machines with OAC? we map network drives with user group policy preferences, and they don't get applied when the users log in with cached credentials. if they then log off and log back on (after they are on the normal corporate subnet), group policy applies correctly and drives map. if, on bootup, they wait a few minutes after seeing CTRL+ALT+DEL appears before they log in, group policy applies correctly and drives map.

 

is there anything i can do for this? i've read about a GINA for odyssey, but i'm guessing that is for user authentication prior to windows authentication, rather than delaying the CTRL+ALT+DEL until the machine is on the correct internal subnet. which is what i think really needs to happen.

1 REPLY 1
kalagesan_
Super Contributor

Re: OAC and "always wait for network" group policy

Hi,

 

As per  my understanding you are using machine authenication and the behavior you are seeing is acceptable.

 

We may need to check the OAC logs and authentication server logs ( IC ) logs to ensure everything working as expected or not

 

Regards,

kannan