Group Policy Processing
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
As described earlier in this paper, Group Policy is processed in the following order: Local Group Policy object (Local GPO), then GPOs linked to containers in this order: site, domain, and organizational units, including any nested organizational units (starting with the organizational unit further from the user or computer object). This means that the local Group Policy object is processed first, and the organizational unit to which the computer or user belongs (the one that it is a direct member of) is processed last. All of this is subject to the following conditions:
WMI or security filtering that has been applied to GPOs.
Any domain-based GPO (not local GPO) may be enforced by using the Enforce option so that its policies cannot be overwritten. When more than one GPO has been marked as enforced, the GPO that is highest in Active Directory hierarchy takes precedence.
At any domain or organizational unit, Group Policy inheritance may be selectively designated as Block Inheritance. However, blocking inheritance does not prevent policy from enforced GPOs from applying; this is because enforced GPOs are always applied, and cannot be blocked.
Note
Every computer has a single local GPO that is always processed regardless of whether the computer is part of a domain or is a stand-alone computer. The Local GPO can't be blocked by domain-based GPOs. However, settings in domain GPOs always take precedence since they are processed after the Local GPO.
Initial Processing of Group Policy
Group Policy for computers is applied at computer startup. For users, Group Policy is applied when they log on. By default, the processing of Group Policy is synchronous, which means that computer Group Policy is completed before the CTRL+ALT+DEL dialog box is presented, and user Group Policy is completed before the shell is active and available for the user to interact with it. (As explained below, Windows XP with Fast Logon enabled lets users logon while Group Policy is processed in the background.)
Synchronous and Asynchronous Processing
Synchronous processes can be described as a series of processes where one process must finish running before the next one begins. Asynchronous processes, on the other hand, can run on different threads simultaneously because their outcome is independent of other processes.
You can change the default processing behavior by using a policy setting for each GPO so that processing is asynchronous instead of synchronous. However, this is not recommended because it can cause unpredictable or undesirable side effects. For example, if the policy has been set to remove the Run command from the Start menu, it is possible under asynchronous processing that a user could logon prior to this policy taking effect, so the user would initially have access to this functionality. To provide the most reliable operation, it is recommended that you leave the processing as synchronous.
Fast Logon in Windows XP Professional
By default in Windows XP Professional, the Fast Logon Optimization feature is set for both domain and workgroup members. This results in the asynchronous application of policies when the computer starts and when the user logs on. This application of policies is similar to a background refresh process and can reduce the length of time it takes for the Logon dialog box to display and the length of time it takes for the shell to be available to the user. An administrator can change the default by using the Group Policy Object Editor.
Fast Logon Optimization is always off during logon under the following conditions:
When a user first logs on to a computer.
When a user has a roaming user profile or a home directory for logon purposes.
When a user has synchronous logon scripts.
Note that under the preceding conditions, computer startup can still be asynchronous. However, because logon is synchronous under these conditions, logon does not exhibit optimization.
The following table summarizes the default processing of policy on Windows XP.
| Client | Application at startup/log on | Application at refresh |
|---|---|---|
Windows 2000 |
Synchronous |
Asynchronous |
Windows XP Professional |
Asynchronous |
Asynchronous |
Windows XP clients support Fast Logon Optimization in any domain environment. To turn off Fast Logon Optimization, you can use the following policy setting:
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon
Note
Fast Logon Optimization is not a feature of Windows Server 2003.
Folder Redirection and Software Installation Policies
Note that when logon optimization is on, a user may need to log on to a computer twice before folder redirection policies and software installation policies are applied. This is because application of these types of policies require the synchronous policy application. During a policy refresh (which is asynchronous), the system sets a flag that indicates that the application of folder redirection or a software installation policy is required. The flag forces synchronous application of the policy at the user's next logon.
Time Limit for Processing of Group Policy
Under synchronous processing, there is a time limit of 60 minutes for all of Group Policy to finish processing on the client. Any client-side extensions that are not finished after 60 minutes are signaled to stop, in which case the associated policy settings may not be fully applied. An errant extension may not be able to respond; in either case the Group Policy engine goes into asynchronous processing mode. This means that the Group Policy engine is no longer blocked while waiting for a running (likely errant) extension and continues to process; it leaves the extension(s) running and does not terminate it (them). There is no setting to control this time-out period or behavior.
Background Refresh of Group Policy
In addition to the initial processing of Group Policy at startup and logon, Group Policy is applied subsequently in the background on a periodic basis, and can also be triggered on demand from the command line.
During a background refresh, a client side extension will by default only reapply the settings if it detects that a change was made on the server in any of its GPOs or its list of GPOs. This is done for performance reasons.
Not all Group Policy extensions are processed during a background refresh. Software Installation and Folder Redirection processing occurs only during computer startup or when the user logs on. This is because processing periodically could cause undesirable results. For example, for Software Installation, if an application is no longer assigned, it is removed. If a user is using the application while Group Policy tries to uninstall it or if an assigned application upgrade takes place while someone is using it, errors would occur.
Note
The script's extension is processed during background refresh, however the scripts themselves are only ran at startup, shutdown, logon, and logoff, as appropriate.
Periodic Refresh Processing
Group Policy is processed periodically. By default, this is done every 90 minutes with a randomized offset of up to 30 minutes. You can change these default values by using a Group Policy setting in Administrative Templates. Setting the value to zero minutes causes the refresh rate to be set to seven seconds.
Note
Setting a short refresh interval in a production environment is not recommended. This is because a policy refresh causes the Windows shell to be refreshed, which in turn causes all open shortcut menus to close, a brief flicker of the screen, and so on. In addition, it causes computers to contact domain controllers more frequently, increasing the load on the domain controllers. However, setting a shorter interval may be useful in test or demonstration scenarios.
To change the policy refresh interval setting, edit the Default Domain Controllers Group Policy object, which is linked to the Domain Controllers organizational unit. The Group Policy Refresh Interval for Computers setting is located under Computer Configuration\Administrative Templates\System\Group Policy node.
For domain controllers, the default period is every five minutes. Group Policy Refresh Interval for Domain Controllers setting is available under Computer Configuration\Administrative Templates\System\Group Policy node.
On-Demand Processing
You can also trigger a background refresh of Group Policy on demand from the client. However, the application of Group Policy cannot be pushed to clients on demand from the server.
Messages and Events
When Group Policy is applied, a WM_SETTINGCHANGE message is sent, and an event is signaled. Applications that can receive window messages can use it to respond to a Group Policy change. Those applications that do not have a window to receive the message (as with most services) can wait for the event.
Refreshing Policy from the Command Line
Gpupdate refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command.
Syntax
Gpupdate [/target:{computer | user}] [/force] [/wait:Value] [/logoff] [/boot]
Parameters
/target:{computer | user}
Processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.
/force
Ignores all processing optimizations and reapplies all settings.
**/wait:**Value
Number of seconds that policy processing waits to finish. The default is 600 seconds. 0 equals no wait, and -1 equals wait indefinitely.
/logoff
Logs off after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Group Policy Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.
/boot
Restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Group Policy Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.
/synch
Causes the next foreground policy application to be done synchronously. Foreground policy applications occur at computer boot and user logon. You can specify this for the user, computer, or both using the /Target parameter. The /Force and /Wait parameters will be ignored if specified.
/?
Displays help at the command prompt.
Slow Links and Remote Access Issues
Special considerations apply when processing Group Policy over slow links or remote access.
Note
Note that while these issues are related, they are distinct, and the processing of Group Policy is different for each. In particular, remote access does not necessarily imply a slow link, nor does a LAN necessarily imply a fast link. A slow link is by default based on the algorithm described in the section below. Windows Server remote access is part of the integrated Routing and Remote Access Service; it connects remote or mobile users to corporate networks, allowing users to work as if their computers are physically connected to the network. Users run remote access software to connect to a remote access server, which is a computer running Windows Server and the Routing and Remote Access Service. The remote access server authenticates the user and services sessions until terminated by the user or network administrator. The remote access connection enables all services typically available to a LAN-connected client, such as file and print sharing, messaging, and Web server access.
Group Policy and Slow Links
When Group Policy detects a slow link, it sets a flag to indicate to client-side extensions that a policy setting is being applied across a slow link. Individual client-side extensions can determine whether or not to apply a policy setting over the slow link.
The default settings are as follows:
Security Settings—ON (and cannot be turned off).
Administrative Templates—ON (and cannot be turned off).
Software Installation—OFF.
Scripts—OFF.
Folder Redirection—OFF.
For all but the Administrative Templates snap-in and security settings snap-in, a policy is provided for switching the slow link processing settings.
Setting Policy for Slow-Link Definition
You can use Group Policy to set the definition of a slow link for computers and users, and for user profiles.
For Group Policy, Windows 2000 and Windows Server 2003 use an IP ping algorithm to ping the server, rather than measuring the file system performance method that was used in Windows NT 4.0. Note: Slow link detection requires the Internet Control Message Protocol (ICMP). If ICMP cannot be used to communicate with the domain controllers, policy processing will not work, in which case you should disable slow link detection.
A slow link is, by default, based on the following algorithm (where ms = milliseconds):
Ping the server with 0 bytes of data and time the number of milliseconds. This value is time#1. If it is less than 10 ms, exit (assume a fast link).
Ping the server with 2 KB of uncompressible data, and time the number of milliseconds. This value is time#2. The algorithm uses a compressed .jpg file for this.
DELTA = time#2 - time#1. This removes the overhead of session setup, with the result being equal to the time to move 2 KB of data.
Calculate Delta three times, adding to TOTAL each DELTA value.
TOTAL/3 = Average of DELTA, in milliseconds.
2 * (2 KB) * (1000 millisec/sec) / DELTA Average millisec = X
X = (4000 KB/sec) / DELTA Average
Z Kilobits per second (Kbps) = (4000 KB/sec) / DELTA Average) *(8 bits/byte)
Z Kbps = 32000 kbps/Delta Avg.
Two KB of data have moved in each direction (this is represented by the leading factor two on the left side in step six above) through each modem, Ethernet card, or other device in the loop once.
The resulting Z value is evaluated against the policy setting. A default of less than 500 Kbps is considered a slow link; otherwise it is a fast link. This value may be set through Group Policy in the Administrative Templates node.
To specify policy settings for Group Policy slow link detection for computers, you use the Computer Configuration\Administrative Templates\System\Group Policy node. To set this policy for users, you use the User Configuration\Administrative Templates\System\Group Policy node. The connection speed is set for kilobits per second (Kbps).
For User Profiles, the Slow network connection time-out for user profiles policy is located in the Computer Configuration\Administrative Templates\System\Logon node. This policy has support for both pinging the server and checking the performance of the file system. This is because user profiles can be stored anywhere, and that server may or may not have IP support. Therefore, the user profile code first tries to ping the server. If the server does not have IP support, it falls back to measuring the file system's performance. You must specify connection speeds in both kilobytes per second (Kbps) and milliseconds (ms) when setting this policy.
Application of Group Policy During a Remote Access Connection
Group Policy is applied during a remote access connection as follows:
When using the Logon using dial-up connection check box on the logon prompt, both User and Computer Group Policy is applied, provided the computer is a member of the domain that the remote access server belongs to or trusts. However, computer-based software installation settings are not processed. This is because normally computer policy would have been processed before the logon screen, but since no network connection is available until logon, the application of computer policy is done as background refresh at the time of logon.
When the logon is done with cached credentials, and then a remote access connection is established, Group Policy is not applied during logon. For example, if users connecting through a VPN connection are logging in via cached credentials, folder redirection settings will not be processed, because folder redirection policy can only be processed at user logon, not in the background refresh.
Group Policy is not applied to computers that are members of a foreign domain or a workgroup. Although the connection may still be made, access to domain resources may be affected (because of mismatched IPSec security).
Client-side Processing of Group Policy
The client-side extensions are loaded on an as-needed basis when a client computer is processing policy. The client computer first gets a list of Group Policy objects. Next, it loops through all the client-side extensions and determines whether each client-side extension has any data in any of the GPOs. If a client-side extension has data in a GPO, the client-side extension is called with the list of Group Policy objects that it should process. If the client-side extension does not have any settings in any of the GPOs, it is not called.
Computer Policy for Client-Side Extensions
A computer policy exists for each of the Group Policy client-side extensions (located in Computer Configuration\Administrative Templates\System\Group Policy). Each policy includes a maximum of three options (check boxes). Some of the client-side extensions include only two computer policy options; in those cases, this is because the third option is not appropriate for that extension.
The computer policy options are:
Allow processing across a slow network connection. When a client-side extension registers itself with the operating system, it sets preferences in the registry, specifying whether it should be called when policy is being applied across a slow link. Some extensions move large amounts of data, so processing across a slow link can affect performance (for example, consider the time involved in installing a large application file across a 56 Kbps modem line). An administrator can set this policy to mandate that the client-side extension should run across a slow link, regardless of the amount of data.
Do not apply during periodic background processing. Computer policy is applied at boot time, and then again in the background, approximately every 90 minutes thereafter. User policy is applied at user logon, and then approximately every 90 minutes after that. The Do not apply during periodic background processing option gives the administrator the ability to override this logic and force the extension to either run or not run in the background.
Note
The Software Installation and Folder Redirection extensions process policy only during the initial run because it is risky to process policy in the background. For example, with Software Installation application upgrades, applications are installed during the initial run and not in the background. If it were done in the background, a user could be running an application, and then have it uninstalled and a new version installed. The application could also have a shared component that is in use by another application. This would prevent the installation from completing successfully.
Process even if the Group Policy Objects have not changed. By default, if the GPOs on the server have not changed, it is not necessary to continually reapply them to the client, since the client should already have all the settings. However, local administrators may be able modify the parts of the registry where Group Policy settings are stored. In this case, it may make sense to reapply these settings during logon or during the periodic refresh cycle to get the computer back to the desired state.
For example, assume that you have used Group Policy to define a specific set of security options for a file. Then the user (with administrative credentials) logs on and changes it. The Group Policy administrator may want to set the policy to process Group Policy even if the GPOs have not changed so that the security is reapplied at every boot. This also applies to applications. Group Policy installs an application, but the end user can remove the application or delete the icon. The process gives the administrator the ability to restore the application at the next user logon, even if the Group Policy objects have not changed option.
Note that, by default, security settings are applied every 16 hours (960 minutes) even if a GPO has not changed. It is possible to change this default period by using the following registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtentions\{82...}
\MaxNoGPOListChangesInterval, REG_DWORD, in number of minutes.
The following table lists the client-side extensions that include only two computer policy options, as well as the reason for this.
| Client-side extension | Missing policy check box | Reason |
|---|---|---|
Registry |
Slow link (Allow processing across a slow network connection) |
Registry policy is always applied because it controls the other client-side extensions. |
Security Settings |
Slow link (Allow processing across a slow network connection) |
To ensure that security settings are in effect, they must always be applied, even across a slow link. |
Folder Redirection |
Background processing (Do not apply during periodic background processing) |
Users' files could be in use while they are logged on. |
Software Installation |
Background processing (Do not apply during periodic background processing) |
Users' software could be in use while they are logged on. |
Policy Settings for Group Policy
You can use administrative templates to configure how you use Group Policy. Policy settings are located in the following areas of the Group Policy Object Editor:
Computer Configuration\Administrative Templates\System\Group Policy
User Configuration\Administrative Templates\System\Group Policy
For details on these policy settings, double-click the policy in the details pane, and then in the policy Properties dialog box, click the Explain tab.