question

JamesEdmonds-7766 avatar image
0 Votes"
JamesEdmonds-7766 asked RichardMHicks-1881 commented

Is it possible to deploy AOVPN user tunnel using GPO

Hi there,

I am deploying an always on VPN server.
As we do not currently use Intune or SCCM, I am hoping to deploy the client side of things using GPOs.

For the user tunnel, the powershell script to create the VPN connection must be run as an admin, but in the user's security context.
Is it possible, to deploy a group policy login script that meets those conditions, and can deploy the VPN profile to the users account?

I am not sure if GP scripts run with admin privileges or not, but my guess is by default they do NOT run as administrator?

Many thanks.
James

windows-10-networkwindows-group-policywindows-platform-network
· 22
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, you can. You will have to configure the profile to be deployed in the 'all users' context, then run the PowerShell script as a startup script, not a logon script. There are also third-party solutions that allow you to fully manage Always On VPN profiles using Active Directory and group policy. Feel free to reach out to me directly for more information.

0 Votes 0 ·

Thanks Richard,

How would one go about adjusting it to be an "AllUsers" connection?
I assume then no special settings on the task are required, just set it to run at startup as NT AUTHORITY\SYSTEM?

Will this allow us to;
1. Connect to the VPN pre login, in the same way normal all users VPN connections do? (i.e. from the Windows lock screen
2. Still have auto connect of the VPN after logon on external (non trusted) networks?

What happens for those users logging into a machine with this deployed who are not VPN authorised? Will it attempt to silently connect in the background and fail?
How will it interact with device tunnels, given those are all AllUsers connections. I thought you could only have the one AllUsers connection, but I may be mistaken.

Many thanks
James



0 Votes 0 ·

To deploy an Always On VPN profile in the 'all users' context you load the user tunnel ProfileXML in the device context (./Device/Vendor/MSFT/VPNv2 instead of ./User/Vendor/MSFT/VPNv2). To make this easier you can use my PowerShell installation script (https://github.com/richardhicks/aovpn/blob/master/New-AovpnConnection.ps1) and supply the -AllUserConnection parameter. This is the script you'll run as a startup script in Active Directory group policy.

However, deploying the Always On VPN user tunnel in the 'all users' context does not provide pre-logon connectivity, and it won't appear on the Windows lock screen. The user tunnel connection will automatically connect once the user logs on, but it will not be available pre-logon. For that, you will need to deploy the device tunnel.

If a user logs on to the device that is not authorized for VPN, yes, the VPN connection will silently fail in the background.

I've deployed this countless times and typically the device tunnel and user tunnel coexist peacefully. You can have more than one VPN in the 'all users' context, but you can only have one 'always on' device tunnel and user tunnel at a time.


0 Votes 0 ·
Show more comments

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered JamesEdmonds-7766 commented

Hello JamesEdmonds,

Unfortunately logon scripts use the interactive user session and can´t be set with elevated permissions on themselves.

On the other hand, I never configured, but theoretically you can deploy Scheduled Tasks through GPO to run that script, and set to run with elevated rights, either administrator or NT AUTHORITY. Then set the trigger "At Logon" and "Any User"



--If the reply is helpful, please Upvote and Accept as answer--

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Limitless!
This seems like a neat enough way to achieve this.

Would it be correct to say I would set the run as user to be the logon user, but tick "Run with Highest Privileges" (I assume this means "Run as administrator")?
170408-image.png

Then, just tick to "Run in logged on users security context"?
170563-image.png

I will try to give this a test now to see what happens.

Cheers
James


0 Votes 0 ·
image.png (43.5 KiB)
image.png (52.6 KiB)

I've done a quick bit of testing, but not sure this is going to work how we'd like it to.
Unless you can advise specifically how I should be setting it up?

I think computer policy tasks run as admin, not the current user, so that doesn't work.
User policy tasks have no option to run with admin right (Use highest privileges does not grant admin right after a read up on that option).

Any other thoughts on how this can be achieved in an automated fashion?

Cheers
James

0 Votes 0 ·

I've manually created a task in task scheduler, and have this working if I run it manually whilst logged in as a standard user, but adding a login trigger it never seems to fire.
If I can correct that, I have all I need to then move this to a GPO. Any thoughts on what would prevent it from triggering on user login?

Cheers
James

0 Votes 0 ·