Group Policy is not applied due to cached credentials

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic explains how cached credentials can prevent Group Policy from applying correctly.

Cause

When a user successfully logs on to the network, the credentials for that user can be cached on the local computer. If network connectivity problems prevent the user from being authenticated the next time the user logs on to the same computer, these cached credentials can be used to give the user access to resources on that computer. If the computer successfully connects to the network later, the cached credentials can be used to provide access to network resources, including GPOs that are received at the next Group Policy refresh.

If a domain controller is not available when the user logs on Group Policy cannot be refreshed at logon. In this case, new Group Policy settings will not be applied until a Group Policy refresh occurs while a domain controller is available.

When the logon is done with cached credentials and then a remote access connection is established, Group Policy is not applied during logon. For example, if users connecting through a VPN connection are logging on using cached credentials, folder redirection settings will not be processed because folder redirection policy can only be processed at user logon, not in the background refresh.

Note

Some user settings can only be applied during logon. These include roaming user profile path, Folder Redirection path, and Software Installation settings. If the user is already logged on when these settings are detected, they will not be applied until the next time the user is logged on.

Solution

To avoid using cached credentials in a remote access connection, users should select the Logon using dial-up connection check box on the Windows Logon dialog box. When this occurs, both User and Computer Group Policy is applied, provided the computer is a member of the domain that the remote access server belongs to or trusts. However, computer-based software installation settings are not processed because, typically, computer policy would have been processed before the logon screen, but since no network connection is available until logon, the application of computer policy is done as background refresh at the time of logon.