Group Policy Overview
The Microsoft Group
Policy infrastructure is a complex system that utilizes several features
and services included in the Windows server and client operating
systems and the IP networks that these systems reside on.
In its simplest concept, Group
Policy is a mechanism used to centrally secure, configure, and deploy a
common set of computer and user configurations, security settings, and,
in some cases, software, to Windows servers, Windows
workstations, and users in an Active Directory forest.
The Group Policy
infrastructure enables organizations to enforce configurations,
simplify desktop administration, secure access to network resources,
and, in some cases, meet regulatory compliance requirements. As an
example of this, group policies can be configured to apply and enforce
an end-user password policy that requires complex passwords that must
exceed seven characters and that must also be changed every 30 days.
Another sample policy can be configured to enable the Windows Firewall
on client workstations, remove an end user’s ability to disable it,
including local administrators, and allow the corporate desktop support
team to remotely administer these workstations while they are connected
to the corporate network or virtual private network (VPN).
Group Policy settings
and reliability have changed tremendously since they were first
introduced in Windows 2000 Server. In the Windows 2000 Server version,
Group Policy Objects (GPOs) lacked many features and basically were not
as resilient to network changes and many of the advanced functions just
did not work. With Windows XP and Windows Server 2003, many features
were fixed and new settings were introduced. With Windows Server 2008
and Windows Vista, many of the pain points realized in the previous
versions were resolved and the infrastructure was in many ways rebuilt
from the ground up to improve network performance and add functionality.
Now with the release of Windows Server 2008 R2 and Windows 7, many of
the new Group Policy features of the Windows Vista and Windows Server
2008 infrastructure have been further improved and extended to provide
more out-of-the-box functionality.
This chapter addresses the
administration and management of GPOs for Windows XP, Windows Vista, and
Windows 7 client operating systems as well as Windows Server 2003,
Windows Server 2008, and Windows Server 2008 R2 server operating
systems.
Group
Policy Processing—How Does It Work?
The way a group policy is
processed is determined by a number of different settings and criteria.
Computers and users process policies differently; furthermore, each
policy also can contain specific settings to define how and when a
policy will be processed.
GPOs contain a revision
number for both the computer and user configuration section of the
policy. By default, if the revision number has not changed since the
last application of the GPO, most of the GPO processing is skipped.
Certain portions, however, such as the computer startup and shutdown
scripts and the user logon and logoff scripts, are processed each time a
GPO is processed during that cycle.
Computer GPO Processing
Computers process policies in a
predetermined order and during certain events. Group policies are
applied to computer objects during startup, shutdown, and periodically
during the background refresh interval. By default, the refresh interval
is every 90 minutes on member servers and workstations with an offset
of 0 to 30 minutes. On domain controllers, group policies are refreshed
every 5 minutes. The offset ensures that not all domain
computers refresh or process group policies simultaneously. When a
computer starts up, if the computer can successfully locate and
communicate with an authenticating domain controller, GPO processing
will occur. During GPO processing, the system checks each linked or
inherited GPO to verify if the policy has changed since the last
processing cycle, to run any startup scripts and check for any other
requirement to reapply policy. During the shutdown and refresh interval,
the GPOs are processed again to check for any updates or changes since
the last application cycle.
Computer GPO processing
is determined by GPO links, security filtering, and Windows Management
Instrumentation (WMI) filters.
User GPO Processing
GPO processing for users
is very similar to GPO processing for computers. The main differences
are that GPO processing for users occurs at user logon, logoff, and
periodically. The default refresh interval for user GPO processing is 90
minutes plus a 0- to 30-minute offset.
User GPO processing is
determined by GPO links and security filtering.
Network Location
Awareness
Network Location Awareness (NLA)
is a service built in to Windows that is used to determine when the
computer has connectivity to the Active Directory infrastructure. The
Group Policy infrastructure utilizes NLA to determine whether to attempt
to download and apply GPOs. This Group Policy function is called slow
link detection.
In previous versions,
Group Policy processing used slow link detection to determine if the
network was reliable enough to process and apply policies. Slow link
detection relied on the Internet Control Message Protocol (ICMP) or Ping
to test for network connectivity and was not very reliable. Due to this
specification, Group Policy processing on mobile and remote client
workstations was very unreliable. When a mobile client workstation
connected to the corporate network through a VPN connection or after
waking from hibernation or sleep mode, the change in network
connectivity usually passed by unnoticed and GPOs were not applied or
refreshed. In these cases, the only way to get these clients to apply
their GPOs was to have them manually run a Group Policy update from the
command line or have these machines reboot while connected to the
corporate network via wired Ethernet connections.
Group Policy processing on
Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008
R2 now utilize the rebuilt Network Location Awareness (NLA) service to
detect network changes. The new NLA service is much better at detecting
changes to network connections, and when a connection is established,
NLA checks for domain controller connectivity. If a domain controller
can be contacted, the NLA service notifies the computer Group Policy
service, which, in turn, triggers Group Policy processing for both
computer- and user-based Group Policy settings. The NLA service is not
dependent on ICMP or Ping, which on its own makes it more reliable. The
NLA service should run on most networks without any special
configuration on the network devices or network firewalls, even if ICMP
communication is disabled or blocked by the firewall.
Managing Group Policy
Processing with GPO Settings
Within the Policies\Administrative
Templates\System\GroupPolicy section of both the Computer Configuration
and User Configuration nodes of a GPO, as shown in Figure 1, an administrator can review and control how group policies
will be processed. These sections contain the Group Policy settings that
will determine how often a policy will be refreshed, if a policy will
be reapplied even if the revision number has not changed since the last
cycle, and if the policy will be applied across slow links or if any
local computer policies will be processed by a computer or a user.
