1. Group Policy Overview
The Microsoft Group Policy infrastructure is a
complex system that leverages several features and services included in
the Windows server and client OSs and the IP networks that these
systems reside on.
At its simplest, a group policy
is a set of definitions created by administrators to centrally
configure and deploy computer and user settings. Group policy contains
an extensive set of options right out of the box and can be extended
even further through third-party software vendors and through custom
development of policy settings by advanced Group Policy administrators.
As an example of Group Policy at work, a policy can be created to
automatically install a network printer on all machines located in a
particular office. Another group policy could define firewall profile
definitions that are less restrictive on the corporate network and very
secure when a mobile workstation connects to a public wireless network.
Group policy was introduced with Windows 2000
Active Directory. Before Windows 2000, the building blocks of Group
Policy were simply known as system policies and had some effective uses,
but were still pretty limited. The Windows 2000 version of Group Policy
proved to be very useful for security configurations and basic user
settings but lacked many features, and when it came to mobile devices,
it did not work very well. Microsoft Windows Server 2003 and Windows XP
improved on the Windows 2000 Group Policy infrastructure by adding some
new network detection features and more computer and user configuration
options, including printer deployment. It was not until Windows Vista
and Server 2008 were released that a major Group Policy overhaul had
taken place.
Starting with Windows Vista and Server 2008,
Microsoft now defined two different types of group policies: local and
domain-based group policies. The local group policies with Windows Vista
and Windows Server 2008 were basically mirrors of the settings
available for both computers and users in domain-based group policies.
This feature alone extended the application of Group Policy outside of
Active Directory environments, making this tool valuable to
organizations that use Windows workstations in workgroup configurations
or in networks that do not necessarily rely on Microsoft Active
Directory as the backbone for network authentication and other services.
Another major change to Group Policy was the
introduction of Group Policy Preferences (GPP). GPP includes both
computer and user-based preferences, and although these are configured
with group policies, by their namesake, they implement the preferred
configuration settings, and most can be changed by the user after policy
application. GPP included much of the missing functionality that Group
Policy administrators had to customize themselves within customized
computer startup or user logon scripts to deploy customized desktop
profile configurations, Registry settings, and much more. GPP really
changed the Group Policy administrative landscape as it moved a lot of
advanced customizations away from the cryptic scripts to GUI-based
administration that all administrators can review and tune.
Many of the
new Group Policy features of the Windows Vista and Windows Server 2008
infrastructure have been further improved and extended to provide more
out-of-the-box functionality. Group policy is split into four main
sections: computer policies, computer preferences, user policies, and
user preferences. As a way to understand this quickly, consider the
policy sections as enforced and the preference sections as initial
configurations that can be changed as desired.
2. Group Policy Processing: How Does It Work?
The first thing an administrator needs to
understand about Group Policy is that policies are processed and applied
by computers and users. Policy processing occurs during certain events
like computer startup and user logon but also at periodic intervals.
When policy processing occurs, many factors are taken into account to
determine whether a policy will be applied. One determining factor is
whether the policy has been previously applied and, if so, whether it
has been changed since the last application. This and many other factors
are used to check each possible policy before it is applied to the
computer/user.
Computer GPO Processing
Computers process group policies during
startup, shutdown, and periodic refresh intervals. By default, the
refresh interval is every 90 minutes on servers and workstations, with
an offset of 0 to 30 minutes. On domain controllers, group policies are
refreshed every 5 minutes. The offset ensures that domain-joined
computers do not all refresh or process group policies simultaneously
and potentially negatively impact the operation of the domain
controllers and the computers themselves. When a domain-joined computer
starts up, if the computer can successfully locate and communicate with
an authenticating domain controller, Group Policy Object (GPO)
processing occurs. During GPO processing, the system checks each linked
or inherited GPO to verify whether the policy has changed since the last
processing cycle, and then runs any startup scripts and checks for any
other requirement to reapply the policy. During the shutdown and refresh
interval, the GPOs are processed again to check for any updates or
changes since the last application cycle.
Computer GPO processing is determined by GPO links, security filtering, and Windows Management Instrumentation (WMI) filters.
User GPO Processing
GPO processing for users is similar to GPO
processing for computers. The main difference is that GPO processing for
users occurs at user logon, logoff, and periodically. The default
refresh interval for user GPO processing is 90 minutes plus a 0- to
30-minute offset. User GPO processing is determined by GPO links and
security filtering.
Network Location Awareness
Network Location Awareness (NLA) is a service
built in to Windows that is used to determine when the computer has
connectivity to the Active Directory infrastructure. The Group Policy
infrastructure uses NLA to determine whether to attempt to download and
apply GPOs. This Group Policy functionality is also used with a
connectivity check known as slow-link detection.
In earlier versions, Group Policy processing
used slow-link detection to determine whether the network was reliable
enough to process and apply policies. Slow-link detection relied on
the Internet Control Message Protocol (ICMP) or ping to test for
network connectivity and was not very reliable. Because of this
specification, group policy processing on mobile and remote client
workstations was very unreliable. When a mobile client workstation
connected to the corporate network through a virtual private network
(VPN) connection or after waking from hibernation or sleep mode, the
change in network connectivity usually passed by unnoticed, and GPOs
were not applied or refreshed. In these cases, the only way to get these
clients to apply their GPOs was to have them manually run a Group
Policy update from the command line or have these machines reboot while
connected to the corporate network via wired Ethernet connections.
Group policy processing from Windows Vista and
later, including Windows 8 and Windows Server 2012, now use the rebuilt
NLA service to detect network changes. The new NLA service is much
better at detecting changes to network connections, and when a
connection is established, NLA checks for domain controller
connectivity. If a domain controller can be contacted, the NLA service
notifies the computer Group Policy service, which, in turn, triggers
Group Policy processing for both computer-based and user-based Group
Policy settings. The NLA service is not dependent on ICMP or ping, which
on its own makes it more reliable. The NLA service should run on most
networks without any special configuration on the network devices or
network firewalls, even if ICMP communication is disabled or blocked by
the firewall.
Group Policy Client-Side Extensions
Group policies are divided into policies and
preferences, but even further within the policy different portions or
sections of Group Policy will determine how, when, or if that particular
section of a group policy will be processed. Group policy processing on
the client side is managed by the Group Policy client-side extensions
(CSEs). The CSEs are dynamic link library (DLL) files that are installed
on the local client server or workstation OSs. When group policies are
processed, it is actually the CSEs that apply the settings on the
client. There are both policy and preference CSEs on the client system,
and each CSE has its own default processing behavior, as discussed in
the next section.
Tuning Group Policy Processing with GPO Settings
Within the Windows OS, there is a default
behavior with regard to how Group Policy processing functions. Under
these default behaviors, some parts of the group policy run only at
computer startup and user logon, whereas some sections are processed
during the background refresh interval. In addition, policies that have
been processed earlier and have not changed since the last application
of the group policy may or may not be processed again. Furthermore, if a
computer startup or logon process has occurred off-network, Group
Policy processing occurs when the domain network is detected. This is by
design, to enhance both Group Policy processing and performance. For
example, if all group policies were processed in full at every
processing instance, the domain controllers and client system
performance or user experience would likely suffer: Users might
experience longer logon and logoff intervals, and computers across the
organization might experience slower startups/shutdowns and might
periodically just slow down. This is why, by
default, group policies that have already been applied and have not
changed are not processed during the background refresh interval.
Administrators and organizations might want to
change the default behavior of Group Policy processing to streamline
group policy performance and the user experience, or they might want to
tighten security and ensure that all policy settings remain enforced by
forcing group policies to reapply every policy processing cycle. To more
fully understand the default processing behavior of computer and user
Group Policy processing, review the settings within a domain group
policy located at Computer Configuration and User Configuration node at
Policies\Administrative Templates\System\Group Policy. Within the
sections, you can review several Group Policy processing settings. The
explanations for each describe their default behavior and provide
different options for each setting that is enabled, as shown in Figure 1 for the Computer Configuration Drive Maps preference extension policy processing setting.
Figure 1. Group policy drive maps preference policy setting.
