In Group Policy, policy settings are divided into two categories: Computer Configuration and User Configuration. Computer Configuration settings are applied during startup of the operating system. User Configuration settings are applied when a user logs on to a computer. Because User Configuration settings are applied after Computer Configuration settings, User Configuration settings have precedence over Computer Configuration settings by default. This means that if there is a conflict between computer and user settings, user settings have priority and take precedence.
Once policy settings are applied, the settings are refreshed automatically to ensure they are current. During Group Policy refresh, the client computer contacts an available domain controller in its local site. If one or more of the policy objects defined in the domain have changed, the domain controller provides a list of all the policy objects that apply to the computer and to the user who is currently logged on, as appropriate. The domain controller does this regardless of whether the version numbers on all the listed policy objects have changed. By default, the computer processes the policy objects only if the version number of at least one of the policy objects has changed. If any one of the related policies has changed, all of the policies have to be processed again because of inheritance and the interdependencies within policies.
Security settings are a notable exception to the processing rule. By default, these settings are refreshed every 16 hours (960 minutes) regardless of whether policy objects contain changes. A random offset of up to 30 minutes is added to reduce impact on domain controllers and the network during updates (making the effective refresh window 960 to 990 minutes). Also, if the client computer detects that it is connecting over a slow network connection, it informs the domain controller and only the Security Settings and Administrative Templates are transferred over the network, which means that by default only the security settings and Administrative Templates are applied when a computer is connected over a slow link. The way slow link detection works is configurable in policy.
Note
A major factor affecting the way refresh works is link speed. If the computer detects that it is using a slow connection (the exact definition of which is configurable in Group Policy), the computer modifies the way policy changes are processed. Specifically, if a client computer detects that it is using a slow network connection, only the security settings and administrative templates are processed. Although there is no way to turn off processing of security settings and administrative templates, you can configure other areas of policy so that the related settings are processed even across a slow network connection.
You have many options for customizing or optimizing Group Policy processing and refresh in your environment. Key tasks you might want to perform include the following:
Changing the default refresh interval
Enabling or disabling policy object processing completely or by setting category
Changing the processing preference for user and computer settings
Configuring slow link detection and subsequent processing
Manually refreshing Group Policy
We will explore these techniques in the sections that follow.
Tip
When you work with Group Policy processing and refresh, you might also want to know which policy objects have been applied and when the last policy refresh occurred on a particular computer. For details, see the section titled "Determining the Effective Group Policy Settings and Last Refresh" later in this chapter.
Once Group Policy is applied, it is periodically refreshed to ensure that it is current. The default refresh interval for domain controllers is 5 minutes. For all other computers, the default refresh interval is 90 minutes, with up to a 30-minute variation to avoid overloading the domain controller with numerous concurrent client requests. This means an effective refresh window for non-domain controller computers of 60 to 120 minutes.
Wondering when you might want to change the refresh interval? In a large organization with many computers, you might want to reduce policy-related resource usage on your domain controllers or you might want to reduce policy-related traffic on your network. There is a careful balance to be found between the update frequency and the actual rate of policy change. If policy is changed infrequently, you might want to increase the refresh window to reduce resource usage. For example, you might want to use a refresh interval of 15 minutes on domain controllers and 120 minutes on other computers.
You can change the Group Policy refresh interval on a per-policy object basis. To set the refresh interval for domain controllers, complete the following steps:
In the GPMC, right-click the Group Policy Object you want to modify, and then select Edit. This should be a GPO linked to a container that contains domain controller computer objects.
Double-click the Group Policy Refresh Interval For Domain Controllers policy in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder. This displays a Properties dialog box for the policy, as shown in Figure 3-9.
Define the policy by selecting Enabled.
Use the first Minutes combo box to set the base refresh interval. You will usually want this value to be between 5 and 59 minutes.
Tip
A faster refresh rate reduces the possibility that a domain controller won’t have the most current policy configuration. A slower refresh rate reduces the frequency of policy refresh (which can also reduce overhead with regard to resource usage) but it also increases the possibility that a domain controller won’t have the most current policy configuration.
Use the other Minutes combo box to set the minimum and maximum time variation for the refresh interval. The variation effectively creates a refresh window with the goal of avoiding overload because of numerous simultaneous client requests for Group Policy refresh.
Click OK.
To set the refresh interval for non-domain controller computers (member servers and workstations), complete the following steps:
In the GPMC, right-click the Group Policy Object you want to modify, and then select Edit. This should be a GPO linked to a container that contains computer objects.
Double-click the Group Policy Refresh Interval For Computers policy in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder. This displays a Properties dialog box for the policy, as shown in Figure 3-10.
Use the first Minutes combo box to set the base refresh interval. You will usually want this value to be between 60 and 180 minutes.
Tip
A faster refresh rate reduces the possibility that a computer won’t have the most current policy configuration. A slower refresh rate reduces the frequency of policy refresh (which can also reduce overhead with regard to resource usage) but it also increases the possibility that a computer won’t have the most current policy configuration.
Use the other Minutes combo box to set the minimum and maximum time variation for the refresh interval. The variation effectively creates a refresh window with the goal of avoiding overload because of numerous simultaneous client requests for Group Policy refresh.
Click OK.
You can enable or disable processing of policy objects either completely or partially. Completely disabling a policy object is useful if you no longer need a policy but might need to use it again in the future, or if you’re troubleshooting policy processing problems. Partially disabling a policy object is useful when you want the related policy settings to apply to either users or computers but not both.
Tip
By partially disabling policy, you can ensure that only the per-computer policy settings or only the per-user policy settings are applied. In cases in which you are trying to speed up policy processing, you might also want to disable user or computer settings. However, you should only do this when you’ve fully determined the impact of this change on your environment.
You can enable and disable policies partially or entirely by completing the following steps:
In the GPMC, select the container for the site, domain, or OU with which you want to work.
Select the policy object you want to work with, and then click the Details tab in the right pane (Figure 3-11).
Use the GPO Status list to choose one of the following status settings:
Enabled. Allows processing of the policy object and all its settings
All Settings Disabled. Disallows processing of the policy object and all its settings
Computer Configuration Settings Disabled. Disables processing of Computer Configuration settings; this means only User Configuration settings are processed
User Configuration Settings Disabled. Disables processing of User Configuration settings; this means only Computer Configuration settings are processed
When prompted to confirm that you want to change the status of this GPO, click OK.
In Group Policy, Computer Configuration settings are processed when a computer starts and accesses the network. User Configuration settings are processed when a user logs on to the network. When there is a conflict between settings in both Computer Configuration and User Configuration, the Computer Configuration settings win. It is also important to point out that computer settings are applied from the computer’s GPOs and the user settings are applied from the user’s GPOs.
In some special situations, you might not want this behavior. In a secure lab or kiosk environment, you might want the user settings to be applied from the computer’s GPOs to ensure compliance with the strict security rules and guidelines for the lab. On a shared computer, you might want the user settings to be applied from the computer’s GPOs but also allow the user settings from the user’s GPOs to be applied. Using loopback processing, you can allow for these types of exceptions and obtain user settings from a computer’s GPOs.
While specific scenarios and additional details are covered in Chapter 12, you can change the way loopback processing works by completing the following steps:
In the GPMC, right-click the Group Policy you want to modify, and then select Edit.
Double-click the User Group Policy Loopback Processing Mode policy in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder. This displays a Properties dialog box for the policy (Figure 3-12).
Define the policy by selecting Enabled, and then use the Mode list to select one of these processing modes:
Replace. When you use the Replace option, the user settings from the computer’s GPOs are processed, and the user settings in the user’s GPOs are not processed. The user settings from the computer’s GPOs replace the user settings normally applied to the user.
Merge. When you use the Merge option, the user settings in the computer’s GPOs are processed first, the user settings in the user’s GPOs are processed next, and then the user settings in the computer’s GPOs are processed again. This processing technique serves to combine the user settings in both the computer and user GPOs. If there are any conflicts, the user settings in the computer’s GPOs have preference and overwrite the user settings in the user’s GPOs.
Click OK.
Tip
When you work with Group Policy, it is important to note the level of support for the policies you are working with. The User Group Policy Loopback Processing Mode policy is supported by all computers running Windows 2000 or later. This means computers running Windows 2000, Windows XP Professional, Microsoft Windows Server™ 2003, and later versions of the Windows operating system support this policy.
Active Directory uses slow link detection to help reduce network traffic during periods of high latency. This feature is used by Group Policy clients to detect when there is increased latency and reduced responsiveness on the network and to take corrective action to reduce the likelihood that processing of Group Policy will further saturate the network. Once a slow link is detected, Group Policy clients reduce their network communications and requests to reduce the overall network traffic load by limiting the amount of policy processing they do.
Client computers use a specific technique to determine whether they are using a slow network connection. In most cases, the client computer sends a ping to the domain controller to which it is connected. The response time from the domain controller (which is an indicator of latency) determines the next step. If the response time from any of the pings is 10 milliseconds or less, the client maintains or resumes processing of Group Policy following normal (full) procedures. If the response time from the domain controller is more than 10 milliseconds, the computer does the following:
Pings the domain controller three times with a 2-KB message packet
Uses the average response time to determine the network speed
By default, if the connection speed is determined to be less than 500 kilobits per second (which could also be interpreted as high latency/reduced responsiveness on a fast network), the client computer interprets this as indicating a slow network connection and notifies the domain controller. As a result, only security settings and administrative templates in the applicable policy objects are sent by the domain controller during policy refresh.
You can configure slow link detection using the Group Policy Slow Link Detection policy, which is stored in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder. If you disable this policy or do not configure it, clients use the default value of 500 kilobits per second to determine whether they are on a slow link. If you enable this policy, you can set a specific slow link value, such as 256 kilobits per second.
Tip
The only way to disable slow link detection completely is to enable the Group Policy Slow Link Detection policy and then set the Connection Speed option to 0. This setting effectively tells clients not to detect slow links and to consider all links to be fast.
You can optimize slow link processing for various areas of Group Policy as well. To do this, you use the following policies also found in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder:
Disk Quota Policy Processing. By default, updates to policy settings for disk quotas are not processed over slow links. This doesn’t, however, change the meaning of or enforcement of any current disk quotas defined in policy. Previously obtained policy settings for disk quotas are still enforced.
EFS Recovery Policy Processing. By default, updates to policy settings for EFS recovery are not processed over slow links. This doesn’t, however, change the meaning of or enforcement of any current EFS recovery options defined in policy. Previously obtained policy settings for EFS recovery are still valid and enforced. Note that some documentation states that the only time EFS recovery policy is not refreshed is when you specifically elect not to apply the related policy settings during periodic refresh. Based on testing, this appears to be the case, but future service packs and changes to Group Policy might modify this behavior.
Folder Redirection Policy Processing. By default, updates to policy settings for folder redirection are not processed over slow links. Note that folder redirection settings are only read and applied during logon. Thus, if a user connects over a slow network during logon, the folder redirection settings will not apply by default, and the user’s folders will not be subsequently redirected. This is typically the desired behavior, especially if users are connecting via dial-up or another slow remote connection.
Internet Explorer Maintenance Policy Processing. By default, updates to policy settings for Microsoft Internet Explorer maintenance are not processed over slow links. If it is important to the safety and security of the network to always have the most current Internet Explorer maintenance settings, you can allow processing across a slow network connection. This ensures that the settings are the most current possible given the current Group Policy refresh rate.
IP Security Policy Processing. By default, updates to policy settings for IP Security are not processed over slow links. This doesn’t, however, change the meaning of or enforcement of any current IP Security policies. Previously obtained policy settings for IP Security are still valid and enforced. Note that some documentation states that the only time IP Security policy is not refreshed is when you specifically elect not to apply the related policy settings during periodic refresh. Based on testing, this appears to be the case, but future service packs and changes to Group Policy might modify this behavior.
Scripts Policy Processing. By default, updates to policy settings for scripts are not processed over slow links. Note that policy-defined scripts are executed only when specific events occur, such as logon, logoff, shutdown, or startup.
Security Policy Processing. Updates to policy settings for security are always processed regardless of the type of link. By default, security policy is refreshed every 16 hours even if security policy has not changed. The only way to stop the forced refresh is to configure security policy processing so that it is not applied during periodic background refresh. To do this, select the policy setting Do Not Apply During Periodic Background Processing. Because security policy is so important, however, the Do Not Apply setting only means security policy processing is stopped when a user is logged on and using the machine. One of the only reasons you’ll want to stop security policy refresh is if applications are failing during refresh.
Software Installation Policy Processing. By default, updates to policy settings for software installation are not processed over slow links. This means new deployments of or updates to software are not made available to users who connect over slow links. This is typically a good thing because deploying or updating software over a slow link can be a very long process.
Wireless Policy Processing. By default, updates to policy settings for wireless networking are not processed over slow links. This doesn’t, however, change the meaning of or enforcement of any current wireless policies. Previously obtained policy settings for wireless networking are still valid and enforced.
Note
Background processing (periodic refresh) can also be controlled for some of these policy areas. See the "Managing Group Policy Processing and Refresh" section in this chapter.
You can configure slow link detection and related policy processing by completing the following steps:
In the GPMC, right-click the policy object you want to modify, and then select Edit.
Double-click the Group Policy Slow Link Detection policy in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder.
Select Enabled to define the policy, as shown in Figure 3-13, and then use the Connection Speed combo box to specify the speed that should be used to determine whether a computer is on a slow link. For example, if you want connections of less than 256 kilobits per second to be deemed as slow, type 256. If you want to disable slow link detection completely for this policy object, type 0.
You can optimize slow link and background processing (refresh) of key areas of Group Policy using policies in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder. The key configuration options available include:
Allow Processing Across A Slow Network Connection. Ensures that the extension settings are processed even on a slow network
Do Not Apply During Periodic Background Processing. Overrides refresh when extension settings change after startup or logon
Process Even If The Group Policy Objects Have Not Changed. Forces the client computer to process the extension settings during refresh even if the settings haven’t changed
Tip
Although the security area of Group Policy is refreshed in full every 16 hours by default, the other areas of Group Policy are not. For these areas, only policy settings that have changed are refreshed. It is therefore sometimes necessary to force clients to reprocess policy settings even if they haven’t changed on the server. Consider the case in which a local OU administrator has made changes to a local computer that might affect how the computer operates. If the local admin has modified the registry or another area of the operating system directly, these changes won’t be reflected as changes to Group Policy. To try to overwrite and fix these types of changes, you might want to reapply Group Policy from a domain controller as discussed in the next section. As long as Group Policy writes to the related area of the registry or the operating system configuration in general, the problem will be resolved.
To configure slow link and background policy processing of key areas of Group Policy, complete these steps:
In the GPMC, right-click the policy object you want to modify, and then select Edit.
Expand Computer ConfigurationAdministrative TemplatesSystemGroup Policy.
Double-click the policy you want to configure. The key policies for controlling slow link and background policy processing include:
Disk Quota Policy Processing
EFS Recovery Policy Processing
Folder Redirection Policy Processing
Internet Explorer Maintenance Policy Processing
IP Security Policy Processing
Scripts Policy Processing
Security Policy Processing
Software Installation Policy Processing
Wireless Policy Processing
Select Enabled to define the policy, as shown in Figure 3-14, and then make your configuration selections. The options will differ slightly depending on the policy selected and might include the following:
Allow Processing Across A Slow Network Connection
Do Not Apply During Periodic Background Processing
Process Even If The Group Policy Objects Have Not Changed
Click OK.
As an administrator, you might often need or want to refresh Group Policy manually. For example, you might not want to wait for Group Policy to refresh at the automatic periodic interval or you might be trying to resolve a problem with refresh and want to force Group Policy refresh. You can refresh Group Policy manually using the Gpupdate command-line utility.
Note
If you’ve been using SECEDIT/refreshpolicy tool provided in Windows 2000, you should now use Gpupdate. Gpupdate replaces the SECEDIT/refreshpolicy tool provided in Windows 2000.
You can initiate refresh in several ways. If you type gpupdate at a command prompt, both the Computer Configuration settings and the User Configuration settings in Group Policy are refreshed on the local computer. You can also refresh user and computer configuration settings separately. To refresh only Computer Configuration settings, type gpupdate/target:computer at the command prompt. To refresh only User Configuration settings, type gpupdate/target:user at the command prompt.
Note
Only policy settings that have changed are processed and applied when you run Gpupdate. You can change this behavior using the /Force parameter. This parameter forces a refresh of all policy settings.
Tip
You can also use Gpupdate to log off a user or restart a computer after Group Policy is refreshed. This is useful because some group policies are applied only when a user logs on or when a computer starts up. To log off a user after a refresh, add the /Logoff parameter. To restart a computer after a refresh, add the /Boot parameter.