Knowledge Partner
Knowledge Partner
137 views

Applying a group policy without active network connection?

Hi.

I seem to be missing something. I have a set of windows group policies that are applied to users based upon their network location, which is set as a requirement in the policy.

That mostly works fine, *except* when the policy for the "unknown" location needs to apply in case of the agent/machine not having any network connection at all. According to the zenworks logs, it fails because the agent insists on making a connection to one of the content servers, which of course it can't. Why doesn't it grab the policy from it's cache?

Here's the important log entry:

 

[DEBUG] [12/03/2019 11:19:24.708] [2328] [ZenworksWindowsService] [23] [mrosen] [PolicyManager] [] [policyName = proxy-disable, Success = False, ExplanationID = ActionMan.NoConnectionError.] [] [] [] [ZENworks Agent] 

 

 

That machine had ample of time to cache the policy. Is this not supposed to work?

Also, In the debug logs I see the agent running wild trying to connect to any server like mad, despite the machine clearly having no network connection whatsoever. Windows *does* know that. Why isn't the ZCM Agent smart enough to "believe" windows and stop trying all those futile attempts to resolve dns or connect to some IP when it has no net connection?

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
Labels (2)
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: Applying a group policy without active network connection?

The Agent does not cache policies and bundles simply due to assignment but only when it tries to initially use them.

For a bundle, you can explicitly cache using a "Distribute Schedule" that does not call "Install" or "Launch" action.  It would then be available offline.

I cannot think of any way to "Force Cache" a "Policy" that would only be available when disconnected.

I could replicate the issue using a "Bundle" that distributed the policy files to the GroupPolicy folder and called GPUPdate.  That content could be cached using a "Distribution Schedule" while online.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Applying a group policy without active network connection?

THanks Craig.

 

Odd we have never hit that issue in almost 10 years using it with Win7. And this sounds like a shortcoming in the product (can't force cache policies like I can with bundles). I was under the impression that this can't be done because policies get cached anywayswhen they're assigned. Note that this policy just doesn't get active because it doesn't meet the requirement.

Sounds like time for an idea...

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
obiwan Respected Contributor.
Respected Contributor.

Re: Applying a group policy without active network connection?

Hi Massimo & Craig,

1st: Thanks for bringing up a problem that's not new to me, I had this problem in the past with 11.4.x and before... it didn't change for me with 17.4.1.

I agree with the idea about the ability to push a policy to cache... However I had to workaround it whenever possible, luckily there is not much I have to push: The main thing was... user proxy settings... (we use proxy setting by user).

For this one I made a bunch of bundles:

- For every setting ( I have 3: no proxy, internal default proxy and a 3rd one) there's a bundle having the action (registry changes+start my small .exe to notify about the change), no requirements are set (to make sure they will distribute) and assignments are only set to distribute.

- Each of these bundles has 2 parent bundles who are responsible for triggering the action depending on the requirements set (network location). I have two of them because I had trouble in the past trying multiple  schedules, so one will fire at user login and the other is triggered by network change.

This works like a charm for years now.

I'm using those "content- and trigger-bundles" for a long time and for several reasons now (another one would be a better distribution for OnBoot-Bundles or just predistribute a software roll-out/update to be able to distribute before requirements are met)

 

But finally back to policies: The "Unknown Network" causes some unwanted errors by Branding Policies, we have 2 slightly different policies for ZAPP. And the problem is the same, as long as no content is available it will trigger those errors. Once it can be picked up it's ok ... anyways of course it stopped by thought about having a having anotgher policy with a requirement of "connected=no" 😉

Just my thoughts...

 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Applying a group policy without active network connection?

Note: I did confirm with Dev that it will only cache when it passed system requirements and needed to run.  They are not sure how it would have ever worked in the past.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.