Cloud Client Connector not honoring AD group policy when not connected to the domain

Solutions ID:    KB4708
Version:    5.0
Status:    Published
Published date:    10/19/2011
Updated:    01/20/2014

Problem Description

Cloud Client Connector not honoring AD group policy when not connected to the domain:
When I login to the domain, my group based policy is honored.
If I have a laptop and I undock and go wireless, my group based policy is honored.
If I reboot my laptop and I am wireless and I do a cached local logon, then my group based policy is not honored.
If I reboot my laptop and I logon remotely without being able to logon to the domain, then my group based policy is not honored.
If I start up my computer off the network and connect to the network that has my AD group information, my group based policy is not honored.


The current version of the client connector and unified agent for Windows should cache Active Director (AD) group information.  This assumes that the client connector/unified agent was installed and that workstation was connected to the domain, or it has connected to the domain if the workstation was remote when the client was installed.  Please the additional information below for further details.

Another option is to enable Captive Portal. See for details.


Blue Coat's ThreatPulse Client Connector relies on the underlying operating system to provide user and group information.  Windows has the ability to cache logons so if a user has a laptop that is removed from the domain, the user can still logon to the laptop without the need to contact the domain.  This caching mechanism does not cache the logged on user's group information.  It only caches the user's logon credentials.  If a user logs on and is able to contact the domain upon logon, the group information will be stored on the computer.  At that point, the Client Connector is able to use that group information obtained by the OS.  If that computer is a laptop and the laptop goes wireless, the group information  remains cached for a period of time and group based policy continues to be enforced.  If that laptop is rebooted and is not connected to the domain, then none of the group information is available to the Client Connector .  The latest version of the client connector/unified agent has the ability to cache group information.  This cached group information can be used for policy decisions while the workstation is remote.  The one requirement is the workstation/laptop needs to connect to the domain at least once so it can get a copy of the groups.  If the user goes remote and his/her group membership changes while they are off the network, they will need to connect back to the AD infrastructure so their groups that are cached are updated.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question