We are having an issue at my company with Group Policy Enforcement at the moment (particularly when passwords are due to expire).
Basically we MEE installed and have Single Sign On configured so that the user enters their username and password at the Safeboot Pre-Logon Operating System stage and this is presented to the MsGina and takes them into Windows. The problem is this passes the username and password so quickly to the Windows logon box, that the machine hasn't yet contacted a Domain Controller so people are always logging in with locally stored cached credentials - hence when AD passwords have expired they are not notified and can't print etc.
Does anyone know a way of changing the amount of time (increasing) it takes Safeboot to pass the logon credentials to the Windows dll? I've had a look in the sbgina.ini but nothing jumps out at me
This can be controlled through GPO. The setting is called "Always Wait for the Network at Computer Startup and Logon". It requires that your client is running Windows XP or Windows Vista.
The policy can be found under: Computer Configuration\Administrative Templates\System\Logon
The description as defined by Microsoft for this policy is:
Determines whether Windows XP waits for the network during computer startup and user logon. By default, Windows XP does not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background once the network becomes available.
Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected.
If a user with a roaming profile, home directory, or user object logon script logs on to a computer, Windows XP always waits for the network to be initialized before logging the user on.
If a user has never logged on to this computer before, Windows XP always waits for the network to be initialized.
If you enable this setting, logons are performed in the same way as for Windows 2000 clients, in that Windows XP waits for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously.
If you disable or do not configure this setting, Windows does not wait for the network to be fully initialized and users are logged on with cached credentials. Group Policy is applied asynchronously in the background.
Note: If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this setting to ensure that Windows waits for the network to be available before applying policy.
Note: For servers, the startup and logon processing always behaves as if this policy setting is enabled.