01-18-2011 01:16 PM - edited 02-21-2020 05:06 PM
I've created a vbs script file that runs the "gpupdate /force" command and have uploaded it to my ASA (version 8.3(2), ASDM 6.3(3), AnyConnect client 2.5.2014). My script also has statements that write event log messages as the script is run (e.g. when gpupdate starts and then whether the gpupdate ran successfully). The goal is to have the "gpupdate /force" command run after the user establishes a VPN connection. I also have set up a client profile that enables scripting and have set up my test group to use the client profile I created.
I have also tested the script on the client to make sure it runs. When I run the script manually I see three events: 1) the original log message from my script that the gpupdate is starting, 2) the Windows Scecli event that says the group policy refresh was successful and 3) the last log message from my script that says the refresh completed successfully.
When I connect to my network via the VPN the script and corresponding profile.xml file get downloaded to the client. When I look at the event log after establishing the VPN connection I see where the script executed however I'm only seeing the two messages from my script (1 and 3 from above) that the gpupdate started and completed successfully. I never see the Windows Scecli event so I know that the gpupdate didn't happen successfully.
Has anyone else used an AnyConnect script to run a "gpupdate /force"? If so how did you make sure the update completed.
Thanks.
01-19-2011 03:14 PM
Funny I was thinking of adding something like that to my own scripts..
Just a thought... I assume this script is running after a user logs in with cached credentials while off the network.... I suspect that gpupdate will not run with cached credentials.
01-19-2011 03:26 PM
Yeah I thought about that but then wasn't sure because if I log into the VPN and then run the script from the command line it runs fine. Really the only reason I'm trying to do this is because our web filtering solution will not resolve web activity for VPN users by their username unless there's been an authentication type event to send to the domain controller. If we run the gpupdate /force then browse the web our filtering reports show the username instead of the IP address.
Maybe a better way to do what I'm trying to achieve?
01-19-2011 04:03 PM
If you just need the authentication then maybe just test for the presence of your sysvol folder.. I saw this in a script that forced the computer to lock if the users credentials are out of sync. Simply trying to access the sysvol should trigger authentication.
sFolderPath = "\\sampledomain.com\SYSVOL"
On Error Resume Next
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oFolderObject = oFSO.GetFolder(sFolderPath)
if Err.Number <> 0 then
TestFolderObject = err.Number
Err.Clear ' Clear the error.
Else
TestFolderObject = 0
End if
Set oFolderObject = Nothing
Set oFSO = Nothing
01-20-2011 06:39 AM
Hummm. Maybe I'll try that. The other script in the samples from Cisco mapped network drives. But I'm not sure that would work either with cached credentials.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide