4. Learn Group Policy Processing
Understanding Group
Policy processing is key to understanding how to apply settings and can
really assist you in troubleshooting. Policy processing will also impact
when you see the Group Policy settings take effect on your targeted
systems and users.
You also need to
understand that Group Policy is processed differently for computer
settings and user settings. There is also a difference on the client
operating system; specifically, the client operating system can affect
how group policy is applied.
Computer settings are
applied at two times: during startup of the operating system and during
shutdown. User settings are applied when the user logs on to and logs
off from the system. With the user settings being applied second, by
default they take precedence over computer settings unless you have
configured loopback processing mode.
When you make changes to Group
Policy via the GPMC, they may not immediately take effect but may also
not require any action by the user or computer. There is a background
process controlling the refresh of policies. Policies are updated in the
background at various intervals; the intervals are also configurable
via Group Policy settings. If the system is a domain controller, the
policy is refreshed by default every 5 minutes. On all other systems,
the refresh interval is by default 90 minutes plus a random interval of
30 minutes, so a policy could take up to 2 hours before the changes you
made to the GPO are reflected on the targeting system.
|
When you apply both
computer and user settings via Group Policy, they are processed at
separate times. With the user settings applied after computer settings,
there is a potential that your computer settings will be overridden by
the user settings. Even though there are only a few settings that can
conflict in this way, ultimately this behavior may not be what you
desire. You can control the order of processing of computer and user
settings by configuring loopback processing mode. Loopback processing
mode will enable the computer settings of the GPO to take precedence
over the user settings in the GPO.
Loopback processing mode
is configured via Group Policy and is located under Computer
Configuration\Policies\Administrative Templates\System\Group Policy. The
setting is User Group Policy Loopback Processing Mode, as shown here.
The settings has two modes:
Merge: This allows the settings
in both the computer and user areas of Group Policy to be combined. If
there is a conflict between the two settings, the settings in the
computer configuration will take precedence.
Replace: This allows the settings in the computer area to replace the settings in the user portion of Group Policy.
|
Not all policies are
processed in the background; by default policies are not reapplied if
the policy has not changed. Additionally, software installation,
scripts, and folder redirection are not reapplied during background
processing. Those policies are applied when either a computer restarts
or a user logs off or logs back on. However, there is one exception to
the order of processing for GPOs. If a GPO is in the startup or shutdown
settings for computer objects or in the logon or logoff settings for
user objects, those policies will process the next time the sequence
will occur. In other words, if a policy is updated in the background and
is in the startup settings, then those policy changes will not take
place until the next time the system is restarted.
Security settings are also
treated separately from other Group Policy settings. Security settings
are those settings listed under both the User Configuration and Computer
Configuration under Windows Settings\Security Settings. They include
such things as Account Policies, Local Security Policies such as
Auditing and User Rights, Event Log size and retention settings,
Restricted Groups, System Services, Registry and File System access,
Public Key Policies, Software Restrictions, and IP Security, to name the
general categories. These settings are reapplied every 16 hours even if
the GPO has not changed. You can modify this duration through the
registry.
Lastly, some policies are
not applied if a slow link is detected.Specifically, application
deployment, scripts, folder redirection, and disk quotas are not applied
by default when a slow link is detected. A slow link is determined by
the responsiveness of the domain controller delivering the policies to
the targeted systems. By default, when processing a GPO client,
operating systems prior to Windows Vista will try four times to ping a
domain controller. If the average of the four ping attempts is greater
than the default or that set by the GPO, then only registry settings,
security policies, EFS recovery policy, and IP security policies will be
applied. With Windows Vista, this has changed. Instead of pings, Vista
uses the Network Location Awareness handler, which verifies whether a
domain controller is available.
4.1. Manually Update Group Policy Settings
You may not be willing to
wait for background policy processing. You can manually update Group
Policy settings on targeted systems by running the command gpupdate.exe from the target system. When testing Group Policy, you should usually run gpupdate /force
before logging off or rebooting the computer. This will allow you to
make sure that Group Policy settings are flowing down to the system.
This simple command can save you time, especially when you are
troubleshooting. You can run gpupdate.exe from a command prompt. The command has a few parameters, making the tool very useful, as listed in Table 3.
Table 3. gpupdate.exe
| Command | Function |
|---|
| gpupdate | Reapplies just the policies that have changed since the last update for both computer and user settings |
| gpupdate /force | Reapplies all the policy settings for both computer and user settings regardless if they have changed |
| gpupdate /targetComputer or gpupdate /target:User | Reapplies only the computer or user settings as reflected by the choice you set in the command |
4.2. Learn How Group Policies Process on the Client Side
One last consideration you
need to be aware of regarding Group Policy processing is how they are
applied to the system. There are two types of Group Policy processing
modes: synchronous and asynchronous. Synchronous
processing is when you have a series of processes where the series is
processed one step at a time; in other words, one process must finish
running before the next one begins. Asynchronous
processing, on the other hand, can run on different threads
simultaneously because their outcome is independent of other processes.
Client-side systems
(Windows XP, Windows Vista, Windows 7) process group policies
asynchronously. The main reason for asynchronous processing on the
client-side systems is fast logon optimization. Fast logon optimization
is designed to enable the systems to quickly present the desktop to the
users. This could result in some policies not being applied initially to
the targeted systems.
Server-side systems (Windows
Server 2003, Windows Server 2008, Windows Server 2008 R2) process group
policies synchronously, which ensures the Group Policy settings are
processed. With synchronous processing, all the Group Policy settings
will be applied. You will notice this may delay logon; however, when you
see the logon screen, you will know the computer settings have been
applied, and likewise when the desktop is displayed, you will know that
all the user settings have been applied. Group policies are processed
synchronously on Windows 2000 systems at startup and asynchronously
during Group Policy refreshes.
As you can see, this is
important to understand when it comes to maintaining and troubleshooting
Group Policy. You can also control this setting on the client-side
systems by modifying the Always Wait for the Network at Computer Startup
and Logon setting; this will allow you have the client-side systems
process group policies synchronously. You can find this setting in Group
Policy under Computer Configuration\Policies\Administrative
Templates\System\Logon, as shown in Figure 4. By enabling the setting, you control the processing behavior on the client-side systems.
On operating systems prior
to Windows Vista, group policies were processed by the etlogon service.
As a result, the netlogon service sometimes was the culprit for issues
with Group Policy.
In later versions of Windows
(2008, 2008 R2, Vista, and 7), there is a dedicated service for Group
Policy, aptly called the Group Policy service. The service is
responsible for applying settings configured through Group Policy.
This change is
important because it offers better reliability for Group Policy and
enables better efficiency and reduction of resources for background
processing of Group Policy. The dedicated service provides the ability
to read to new files and allows the Group Policy service to take on the
workload provided by multiple services in other versions of Windows.
