With Group Policy, you can manage settings for thousands of users or computers in the same way that you manage settings for one user or computer—and without ever leaving your desk. To do this, you use one of several management tools to change a setting to a desired value, and this change is applied throughout the network to a desired subset of users or computers or to any individual user or computer.

One way to think of Group Policy is as a set of rules that you can apply to help you manage users and computers. Despite common misperceptions, Group Policy does this in a way that is more intuitive than was previously possible. Still a nonbeliever? Consider for a moment that before Group Policy, many of the administrative changes that Group Policy enables were possible only by hacking the Windows registry, and each change had to be made individually on each target computer. Time consuming, tricky to implement, prone to disastrous results? You betcha.

Enter Group Policy, whereby you can simply enable or disable a policy to tweak a registry value or other setting, and the change will apply automatically to every computer you designate the next time Group Policy is refreshed. Because changes can be modeled (through the Group Policy Management Console) before the modifications are applied, you can be certain of the effect of each desired change. Plus, if you don’t like the results, you can undo a change by setting the policy back to its original or Not Configured state.

To take this scenario a step further, consider the case in which you’ve manually tweaked multiple Microsoft^® Windows^® registry settings on a number of machines and you start to have problems. Maybe users can’t log on, they can’t perform necessary actions, or computers aren’t responding normally. If you documented every change on every computer, you might be able to undo the changes—if you are lucky and if you properly documented the original settings as well as the changes. In contrast, Group Policy allows you to back up ("save") the state of Group Policy before making changes. If something goes wrong, you can restore Group Policy to its original state. When you restore the state of Group Policy, you can be certain that all changes are undone with the next Group Policy refresh.

Speaking of Group Policy refresh, you are probably wondering what this term means. While the nitty-gritty details are covered in Chapter 2, the basics of group policy application (initial processing) and refresh (subsequent processing) are straightforward. In Active Directory, two distinct sets of policies are defined:

Initial processing of the related policies is triggered by two unique events:

Once applied, Group Policy settings are automatically refreshed to keep settings current and to reflect any changes that might have been made. By default, Group Policy on domain controllers is refreshed every 5 minutes. For workstations and other types of servers, Group Policy is refreshed every 90 to 120 minutes by default. In addition, Group Policy is refreshed every 16 hours regardless of whether or not any policy settings have changed in the intervening time.

Note

Officially, the default Group Policy refresh interval on workstations and member servers is every 90 minutes, but a delay of up to 30 minutes is added to avoid flooding domain controllers with multiple simultaneous refresh requests. This effectively makes the default refresh window from 90 to 120 minutes.

Tip

Other factors can affect Group Policy refresh, including how slow link detection is defined (per the Group Policy Slow Link Detection Policy under Computer ConfigurationAdministrative TemplatesSystemGroup Policy) and policy processing settings for policies under Computer ConfigurationAdministrative TemplatesSystemGroup Policy. You can check the last refresh of Group Policy using the Group Policy Management Console (GPMC). (See the section titled "Determining the Effective Group Policy Settings and Last Refresh" in Chapter 3.)