Controlling Client-Side Extensions by Using Group Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Some of the Group Policy components include client-side extensions (typically implemented as .dll files) that are responsible for processing and applying Group Policy settings at the destination computers.

For each client-side extension, the GPO processing order is obtained from a list of GPOs, which is determined by the Group Policy engine during processing. Each client-side extension processes the resulting list of GPOs. For details about the processing of Group Policy, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at https://www.microsoft.com/reskit).

A computer policy exists to control the behavior of each of the Group Policy client-side extensions. Each policy includes up to three options, and some include more specific configuration options. You can set computer policies for client-side extensions by opening the Computer Configuration/Administrative Templates/System/Group Policy item of the Group Policy Object Editor.

You can set the following computer policy options:

• Allow processing across a slow network connection. Some extensions move large amounts of data, so processing across a slow link can decrease performance. By default, only the administrative templates and security settings are processed over a slow link. You can set this policy to mandate that other client-side extensions are also processed across a slow link. To control what is considered a slow link, use the Group Policy slow link detection setting. See "Specifying Group Policy for Slow Link Detection" earlier in this chapter.

• Do not apply during periodic background processing. Computer policy is applied at boot time and again every 90 minutes. User policy is applied when the user logs on to the computer and in the background approximately every 90 minutes after that. The Do not apply during periodic background processing option gives you the ability to override this behavior and prevent Group Policy from running in the background.

  Note

  • The Software Installation and Folder Redirection extensions process Group Policy only at startup and when the user logs on to the network because of the risks in processing these policies in the background, when users might have applications and files open

• Process even if the Group Policy objects have not changed. If the GPOs on the server do not change, it is not usually necessary to continually reapply them to the destination computer except to override possible local changes. Because local administrators might be able to modify the parts of the registry where Group Policy settings are stored, you might want to reapply these settings as needed during the logon process or during periodic background processing to return the computer to the desired state.

  For example, assume that Group Policy defines a specific set of security options for a file. Then a user who has administrative credentials logs on and changes those security options. The Group Policy administrator might want to set the policy option to process Group Policy even if the GPOs have not changed so that the security options specified in Group Policy are reapplied the next time policy is refreshed. The same considerations apply to applications: with this option set, if Group Policy installs an application, but the user removes the application or deletes its icon, the application is re-advertised the next time the user logs on to the computer.

By default, Security Policy settings delivered by Group Policy are applied every 16 hours (960 minutes) even if a GPO has not changed. It is possible to change this default period by using the registry entry MaxNoGPOListChangesInterval in the following subkey:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon \GPExtentions\{82...},

The data type of this entry is REG_DWORD and the value is number of minutes.

Caution

• Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Microsoft® Windows® Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.