Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2008 R2 : Understand Group Policy (part 2) - Learn Group Policy Processing

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
8/3/2011 11:25:24 AM

4. Learn Group Policy Processing

Understanding Group Policy processing is key to understanding how to apply settings and can really assist you in troubleshooting. Policy processing will also impact when you see the Group Policy settings take effect on your targeted systems and users.

You also need to understand that Group Policy is processed differently for computer settings and user settings. There is also a difference on the client operating system; specifically, the client operating system can affect how group policy is applied.

Computer settings are applied at two times: during startup of the operating system and during shutdown. User settings are applied when the user logs on to and logs off from the system. With the user settings being applied second, by default they take precedence over computer settings unless you have configured loopback processing mode.

When you make changes to Group Policy via the GPMC, they may not immediately take effect but may also not require any action by the user or computer. There is a background process controlling the refresh of policies. Policies are updated in the background at various intervals; the intervals are also configurable via Group Policy settings. If the system is a domain controller, the policy is refreshed by default every 5 minutes. On all other systems, the refresh interval is by default 90 minutes plus a random interval of 30 minutes, so a policy could take up to 2 hours before the changes you made to the GPO are reflected on the targeting system.

Loopback Processing Mode

When you apply both computer and user settings via Group Policy, they are processed at separate times. With the user settings applied after computer settings, there is a potential that your computer settings will be overridden by the user settings. Even though there are only a few settings that can conflict in this way, ultimately this behavior may not be what you desire. You can control the order of processing of computer and user settings by configuring loopback processing mode. Loopback processing mode will enable the computer settings of the GPO to take precedence over the user settings in the GPO.

Loopback processing mode is configured via Group Policy and is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy. The setting is User Group Policy Loopback Processing Mode, as shown here.



The settings has two modes:

Merge: This allows the settings in both the computer and user areas of Group Policy to be combined. If there is a conflict between the two settings, the settings in the computer configuration will take precedence.

Replace: This allows the settings in the computer area to replace the settings in the user portion of Group Policy.


Not all policies are processed in the background; by default policies are not reapplied if the policy has not changed. Additionally, software installation, scripts, and folder redirection are not reapplied during background processing. Those policies are applied when either a computer restarts or a user logs off or logs back on. However, there is one exception to the order of processing for GPOs. If a GPO is in the startup or shutdown settings for computer objects or in the logon or logoff settings for user objects, those policies will process the next time the sequence will occur. In other words, if a policy is updated in the background and is in the startup settings, then those policy changes will not take place until the next time the system is restarted.

Security settings are also treated separately from other Group Policy settings. Security settings are those settings listed under both the User Configuration and Computer Configuration under Windows Settings\Security Settings. They include such things as Account Policies, Local Security Policies such as Auditing and User Rights, Event Log size and retention settings, Restricted Groups, System Services, Registry and File System access, Public Key Policies, Software Restrictions, and IP Security, to name the general categories. These settings are reapplied every 16 hours even if the GPO has not changed. You can modify this duration through the registry.

Lastly, some policies are not applied if a slow link is detected.Specifically, application deployment, scripts, folder redirection, and disk quotas are not applied by default when a slow link is detected. A slow link is determined by the responsiveness of the domain controller delivering the policies to the targeted systems. By default, when processing a GPO client, operating systems prior to Windows Vista will try four times to ping a domain controller. If the average of the four ping attempts is greater than the default or that set by the GPO, then only registry settings, security policies, EFS recovery policy, and IP security policies will be applied. With Windows Vista, this has changed. Instead of pings, Vista uses the Network Location Awareness handler, which verifies whether a domain controller is available.

4.1. Manually Update Group Policy Settings

You may not be willing to wait for background policy processing. You can manually update Group Policy settings on targeted systems by running the command gpupdate.exe from the target system. When testing Group Policy, you should usually run gpupdate /force before logging off or rebooting the computer. This will allow you to make sure that Group Policy settings are flowing down to the system. This simple command can save you time, especially when you are troubleshooting. You can run gpupdate.exe from a command prompt. The command has a few parameters, making the tool very useful, as listed in Table 3.

Table 3. gpupdate.exe
CommandFunction
gpupdateReapplies just the policies that have changed since the last update for both computer and user settings
gpupdate /forceReapplies all the policy settings for both computer and user settings regardless if they have changed
gpupdate /targetComputer or gpupdate /target:UserReapplies only the computer or user settings as reflected by the choice you set in the command

4.2. Learn How Group Policies Process on the Client Side

One last consideration you need to be aware of regarding Group Policy processing is how they are applied to the system. There are two types of Group Policy processing modes: synchronous and asynchronous. Synchronous processing is when you have a series of processes where the series is processed one step at a time; in other words, one process must finish running before the next one begins. Asynchronous processing, on the other hand, can run on different threads simultaneously because their outcome is independent of other processes.

Client-side systems (Windows XP, Windows Vista, Windows 7) process group policies asynchronously. The main reason for asynchronous processing on the client-side systems is fast logon optimization. Fast logon optimization is designed to enable the systems to quickly present the desktop to the users. This could result in some policies not being applied initially to the targeted systems.

Server-side systems (Windows Server 2003, Windows Server 2008, Windows Server 2008 R2) process group policies synchronously, which ensures the Group Policy settings are processed. With synchronous processing, all the Group Policy settings will be applied. You will notice this may delay logon; however, when you see the logon screen, you will know the computer settings have been applied, and likewise when the desktop is displayed, you will know that all the user settings have been applied. Group policies are processed synchronously on Windows 2000 systems at startup and asynchronously during Group Policy refreshes.

As you can see, this is important to understand when it comes to maintaining and troubleshooting Group Policy. You can also control this setting on the client-side systems by modifying the Always Wait for the Network at Computer Startup and Logon setting; this will allow you have the client-side systems process group policies synchronously. You can find this setting in Group Policy under Computer Configuration\Policies\Administrative Templates\System\Logon, as shown in Figure 4. By enabling the setting, you control the processing behavior on the client-side systems.

Figure 4. Setting for synchronous processing

Service Running Group Policy Processing

On operating systems prior to Windows Vista, group policies were processed by the etlogon service. As a result, the netlogon service sometimes was the culprit for issues with Group Policy.

In later versions of Windows (2008, 2008 R2, Vista, and 7), there is a dedicated service for Group Policy, aptly called the Group Policy service. The service is responsible for applying settings configured through Group Policy.

This change is important because it offers better reliability for Group Policy and enables better efficiency and reduction of resources for background processing of Group Policy. The dedicated service provides the ability to read to new files and allows the Group Policy service to take on the workload provided by multiple services in other versions of Windows.

Other -----------------
- Windows Server 2008 R2 : Understand Group Policy (part 1) - Understand the Scope of Group Policy Management & Understand and Control the Order of Precedence
- Windows Server 2008 R2 : Work with Windows Server Update Services
- SQL Server 2005 : Testing Database Routines - Guidelines for Implementing Database Testing Processes and Procedures
- SQL Server 2005 : Testing Database Routines - Introduction to Black Box and White Box Testing
- Microsoft SQL Server 2008 Analysis Services : Designing simple dimensions (part 2) - Using the Dimension Editor
- Microsoft SQL Server 2008 Analysis Services : Designing simple dimensions (part 1) - Using the 'New Dimension' wizard
- SharePoint 2010 Search : Tuning Search (part 4) - Search Keywords and Best Bets
- SharePoint 2010 Search : Tuning Search (part 3) - The noindex Class & The Ratings Column
- SharePoint 2010 Search : Tuning Search (part 2) - The Thesaurus & Custom Dictionaries
- SharePoint 2010 Search : Tuning Search (part 1) - Authoritative Pages & Result Removal
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server