Cloud Client Connector not honoring AD group policy when not connected to the domain

Solution

Overview

Cloud Client Connector not honoring AD group policy when not connected to the domain:
When I login to the domain, my group based policy is honored.
If I have a laptop and I undock and go wireless, my group based policy is honored.
If I reboot my laptop and I am wireless and I do a cached local logon, then my group based policy is not honored.
If I reboot my laptop and I logon remotely without being able to logon to the domain, then my group based policy is not honored.
If I start up my computer off the network and connect to the network that has my AD group information, my group based policy is not honored.
 

Cause
Resolution

The current version of the client connector and unified agent for Windows should cache Active Director (AD) group information.  This assumes that the client connector/unified agent was installed and that workstation was connected to the domain, or it has connected to the domain if the workstation was remote when the client was installed.  Please the additional information below for further details.

Another option is to enable Captive Portal. See portal.threatpulse.com/docs/sol/Content/Deployment/Concepts/AuthDetail/about_captport_co.htm for details.

ADDITIONAL INFORMATION:

Blue Coat's ThreatPulse Client Connector relies on the underlying operating system to provide user and group information.  Windows has the ability to cache logons so if a user has a laptop that is removed from the domain, the user can still logon to the laptop without the need to contact the domain.  This caching mechanism does not cache the logged on user's group information.  It only caches the user's logon credentials.  If a user logs on and is able to contact the domain upon logon, the group information will be stored on the computer.  At that point, the Client Connector is able to use that group information obtained by the OS.  If that computer is a laptop and the laptop goes wireless, the group information  remains cached for a period of time and group based policy continues to be enforced.  If that laptop is rebooted and is not connected to the domain, then none of the group information is available to the Client Connector .  The latest version of the client connector/unified agent has the ability to cache group information.  This cached group information can be used for policy decisions while the workstation is remote.  The one requirement is the workstation/laptop needs to connect to the domain at least once so it can get a copy of the groups.  If the user goes remote and his/her group membership changes while they are off the network, they will need to connect back to the AD infrastructure so their groups that are cached are updated.

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4708
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat