Determining When Group Policy Changes are Applied
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Changes to Group Policy settings might not be immediately available on users’ desktops because changes to the Group Policy object must first replicate to the appropriate domain controller. In addition, clients use a 90-minute refresh period (randomized by up to approximately 30 minutes) for the retrieval of Group Policy. Therefore, it is rare for a changed Group Policy setting to apply immediately. Components of a GPO are stored in both Active Directory and on the Sysvol folder of domain controllers. Replication of a GPO to other domain controllers occurs by two independent mechanisms:
Replication in Active Directory is controlled by Active Directory’s built-in replication system. By default, this typically takes less than a minute between domain controllers within the same site, if these domain controllers are part of a fresh-installed (not upgraded) forest running on Windows Server 2003–based domain controllers, or if the upgraded forest’s Functional Level is set to Windows Server 2003. However, in environments such as a partially upgraded forest that contains domain controllers running Windows 2000 and Windows Server 2003, a typical replication might take up to 15 minutes. This process can be even slower if your network is slower than a LAN.
Replication of the Sysvol folder is controlled by the File Replication service (FRS). Within sites, replication occurs every 15 minutes. If the domain controllers are in different sites, the replication process occurs at set intervals based on site topology and schedule; the lowest interval is 15 minutes. In a Windows Server 2003 LAN environment, replication typically takes less than a minute.
If it is critical to immediately apply a change to a specific group of users or computers in a specific site, you can connect to the domain controller closest to these objects, and then make the configuration change on that domain controller so those users get the updated policy first.
Policy Refresh Interval
The primary mechanisms for refreshing Group Policy are startup and logon. Group Policy is also refreshed on a regular basis. The policy refresh interval affects how quickly changes to Group Policy objects are applied. By default, clients and servers running Windows 2000, clients running Windows XP Professional, and destination servers running Windows Server 2003 check for changes to Group Policy objects every 90 minutes by using a randomized offset of up to 30 minutes. Domain controllers running Windows 2000 Server or Windows Server 2003 check for computer policy changes every five minutes. Although this polling frequency can be changed (by using one of these policy settings: Group Policy Refresh Interval for Computers,Group Policy Refresh Interval for Domain Controllers, or Group Policy refresh Interval for Users), shortening the frequency between refreshes is not recommended because of the potential increase in network traffic and the additional load placed on the domain controllers.
Triggering a Group Policy Refresh
If necessary, you can trigger a policy refresh manually from a local computer without waiting for the automatic background refresh. To do this, you can type
gpupdate at the command line to refresh the user or computer policy settings. You cannot trigger a policy refresh by using GPMC.
The gpupdate command triggers a background policy refresh on the local computer from which the command is run. The gpupdate command is used in Windows Server 2003 and Windows XP environments. In Windows 2000, use the secedit /refreshpolicy command.
For more information about the gpupdate command, see "Changing the Group Policy Refresh Interval" later in this chapter.
Some policy settings, such as folder redirection and the assignment of software applications, require the user to log off and log on again before they take effect. Software applications assigned to computers are installed only when the computer is restarted. See Help and Support Center for Windows Server 2003 for specific settings for information about when those settings take effect.