GPO and firewall

[Fred Flintstone]

hello,
when I make a change to the settings of the default domain policy, these
changes will reflect on the clients in due course.
the policy needs to be replicated across the domain, and the clients need to
receive the settings also.
but within at least one day, the settings take their effect.
I know this can be done shorter with enforce /etc.etc., but in general I am
content with this.

laptops that are connected through internet and VPN is a different story.
these clients don't seem to receive the updates through this connection.
only when they visit our offices and connect their laptops directly, the
policies are propagated.

the question is, through what port of the firewall do these policies go ?
thnks
Fred

 

[Simon Geary]

The most common problem with GPO's and firewalls is that they usually block
ICMP traffic. A client has to be able to ping a DC before a GPO is
downloaded so no ping means no Group Policies.

 

[Fred Flintstone]

but a firewall should be set to ignore pings from the outside.

 

[Simon Geary]

Exactly my point, if the client cannot ping the DC when connected by VPN the
slow link detection will kick in and prevent GPO's from applying. Can your
clients ping the DC when connected?

 

[Fred Flintstone]

thkns for yr reaction, btw
yes, I can my DC, when I am connected to our LAN, through a VPN.
I have a policy on a OU called "test"
the test-client and the test-laptop are in that OU
but the policies set in that OU are not coming through, just yet
Fred

 

[Fred Flintstone]

when I run gpresult.exe remotely (on the test-laptop) it says that the
client received setting from the test-OU policy, but they are not there.
when I do the same on a locally connected, this test does what it is
supposed to do
Fred

 

[Fred Flintstone]

patience must be worth a fortune
the policy gets there, if you wait long enough
next monday, I will hopefully have some SUS-results as well
have a nice weekend
Fred