Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5547
Views
0
Helpful
4
Replies

AnyConnect script to force gpupdate

snowmizer
Level 1
Level 1

‎01-18-2011 01:16 PM - edited ‎02-21-2020 05:06 PM

I've created a vbs script file that runs the "gpupdate /force" command and have uploaded it to my ASA (version 8.3(2),  ASDM 6.3(3), AnyConnect client 2.5.2014). My script also has statements that write event log messages as the script is run (e.g. when gpupdate starts and then whether the gpupdate ran successfully). The goal is to have the "gpupdate /force" command run after the user establishes a VPN connection. I also have set up a client profile that enables scripting and have set up my test group to use the client profile I created.

I have also tested the script on the client to make sure it runs. When I run the script manually I see three events: 1) the original log message from my script that the gpupdate is starting, 2) the Windows Scecli event that says the group policy refresh was successful and 3) the last log message from my script that says the refresh completed successfully.

When I connect to my network via the VPN the script and corresponding profile.xml file get downloaded to the client.  When I look at the event log after establishing the VPN connection I see where the script executed however I'm only seeing the two messages from my script (1 and 3 from above) that the gpupdate started and completed successfully. I never see the Windows Scecli event so I know that the gpupdate didn't happen successfully.

Has anyone else used an AnyConnect script to run a "gpupdate /force"? If so how did you make sure the update completed.

Thanks.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

dbgreekas
Level 1
Level 1

‎01-19-2011 03:14 PM

Funny I was thinking of adding something like that to my own scripts..

Just a thought... I assume this script is running after a user logs in with cached credentials while off the network.... I suspect that gpupdate will not run with cached credentials.

0 Helpful

snowmizer
Level 1
Level 1
In response to dbgreekas

‎01-19-2011 03:26 PM

Yeah I thought about that but then wasn't sure because if I log into the VPN and then run the script from the command line it runs fine. Really the only reason I'm trying to do this is because our web filtering solution will not resolve web activity for VPN users by their username unless there's been an authentication type event to send to the domain controller. If we run the gpupdate /force then browse the web our filtering reports show the username instead of the IP address.

Maybe a better way to do what I'm trying to achieve?

0 Helpful

dbgreekas
Level 1
Level 1
In response to snowmizer

‎01-19-2011 04:03 PM

If you just need the authentication then maybe just test for the presence of your sysvol folder.. I saw this in a script that forced the computer to lock if the users credentials are out of sync. Simply trying to access the sysvol should trigger authentication.

sFolderPath = "\\sampledomain.com\SYSVOL"

    On Error Resume Next

    Set oFSO = CreateObject("Scripting.FileSystemObject")

    Set oFolderObject = oFSO.GetFolder(sFolderPath)

    if Err.Number <> 0 then

       TestFolderObject = err.Number

       Err.Clear      ' Clear the error.

    Else

        TestFolderObject = 0

    End if

    Set oFolderObject = Nothing

    Set oFSO = Nothing

0 Helpful

snowmizer
Level 1
Level 1
In response to dbgreekas

‎01-20-2011 06:39 AM

Hummm. Maybe I'll try that. The other script in the samples from Cisco mapped network drives. But I'm not sure that would work either with cached credentials.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents