Updating LastServerQuery value on a locked down workstation
Hello
I tried setting the CacheInterval and MaxOffset via GPO in our enviorment and found it was not working as expected.
The password reset client would still appear during logon in the task bar.
I discovered that the following registry key didn’t exist on my workstation.
HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions
Following information posted by AnthonyHo the key needs to manually created.
http://social.technet.microsoft.com/Forums/en-GB/ilm2/thread/0f9d03aa-72a2-428c-8e03-d1d113d13414
After creating the key, manually registering again the following Qword appeared LastServerQuery
Now GPO works as expected on my test workstation and the cacheinterval and maxoffset from the GPO appear under HKCU\Software\Policies\Microsoft\Forefront
Identity Manager\2010\Extensions Its my understanding that without the LastServerQuery key that cacheinterval and maxoffset have no affect.
In my production environment (school board) we do not allow users (i.e. students) access / edit the registry on the workstation via a GPO.
How should I go about getting the LastServerQuery value updated.
Otherwise every time users login the password reset client is going to run hitting my FIM portal.
I'm looking for more information / guidance on the issue above.
Thanks Bill
April 12th, 2011 11:24am
You can use GP Preferences to roll out Registry settings. Is this an option for you? The clients require the GP Preferences CSE if they're earlier builds than (I think) Vista SP1.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 3:03pm
Paul
If you talking about Group Policy Preference Client Side Extensions for Windows XP (KB943729) then my client workstations have that installed.
Thanks for the tip, I didn't think about doing it that way. If it works then it would solve the issue of creating the key structure.
Bill
April 12th, 2011 3:32pm
are you saying students have no read-write access to the following registry key?
HKCU\Software\Microsoft\Forefront Identity Manager\2010\Extensions
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 5:59pm
students have read access to the registry on the workstations
Under what user context is the LastServerQuery value updated. ie system or the user's account
April 12th, 2011 6:34pm
user account. It's HKCU :) Thus it has to be the user. I haven't confirm this, but i think i am correct.
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 7:22pm
I believe after testing again this morning that I'll be OK in our environment. LastServerQuery value has been updated for the user with the GPO set to block registry editing.
April 13th, 2011 11:00am