Hello all



All of our domain controllers are running windows 2012, and all clients are running either Windows 7 sp1 or windows 8.1. clients use Cisco anyconnect  version 3.1.1065. 

From my understanding one of the things  NLA is able to do is its able to reconcile the token with the domain controller if the network status (reachability of the DC) changes. The cached token will be replaced by a "real" token when the VPN is started.  We are noticing that when users VPN into the network, they are picking up group membership changes right away.  This would mean that my above understanding of what NLA can do is correct, however i cannot find anything on my searches that would backup my understanding. 

Please let me know if my understanding is correct, and if so please provide me a document that describes this behavior

Thank you

Hi,

NLA aggregates the network information available to the PC and generates a globally unique identifier (GUID) to identify each network the PC is connected to. It can indicate that the domain controller (DC) of the domain for which the computer is a member has authenticated the computer. However, an access token is created by the Local Security Authority (LSA) when a user is authenticated.

Regarding NLA, the following articles can be referred to for more information.

Longhorn Network Location Awareness Service

https://msdn.microsoft.com/en-us/library/aa480195.aspx

Network Location Awareness

https://technet.microsoft.com/en-us/library/cc753545(v=ws.10).aspx

Regarding access token, the following article can be referred to for more information.

What Are Access Tokens?

https://technet.microsoft.com/en-us/library/cc759267(v=ws.10).aspx

How Access Tokens Work

https://technet.microsoft.com/en-us/library/cc783557(v=ws.10).aspx

Best regards,
Frank Shen