This section discusses the use of policy settings to specify the behavior of Group Policy.
Specifying Policy Settings for Group Policy
Administrators can specify policy settings that affect how Group Policy is applied and updated.
The following table lists the policy settings for Group Policy under the Computer Configuration\Administrative Templates\System\Group Policy nodes.
Policy
|
Description
|
Disable background refresh of Group Policy
|
Used to prevent Group Policy settings from being updated while the computer is in use. Applies to Group Policy for computers, users, and domain controllers.
|
Apply Group Policy for computers asynchronously during startup
|
Used to allow the system to display the logon prompt before it completes updates for computer Group Policy.
|
Apply Group Policy for users asynchronously during logon
|
Used to allow the system to display the Windows desktop before it completes updates for computer Group Policy.
|
Group Policy refresh interval for computers
|
Used to specify how often Group Policy for computers is updated in the background while the computer is in use. Specifies a background update rate only for Group Policy settings under the Computer Configuration node. Computer Group Policy is updated in the background every 90 minutes by default, with a random offset of 0 to 30 minutes. Besides background updates, computer Group Policy is always updated when the system starts.
Administrators can stipulate an update rate from zero to 64,800 minutes (45 days). When zero minutes is specified, the computer tries to update Group Policy every seven seconds. Such updates may interfere with users' work and increase network traffic; therefore, very short update intervals are not appropriate in most cases.
|
Group Policy refresh interval for domain controllers
|
Specifies how often Group Policy is updated, in the background, on domain controllers while they are running. The update rates that this policy specifies happen in addition to the updates processed when the system starts.
By default, Group Policy on the domain controllers is updated every five minutes. Administrators can specify an update rate from zero to 64,800 minutes (45 days). When zero minutes is specified, the domain controller tries to update Group Policy every seven seconds. Such updates may interfere with users' work and increase network traffic; therefore, very short update intervals are not appropriate in most cases.
|
Policy
|
Description
|
User Group Policy loopback processing mode
|
Applies the set of Group Policy objects defined for the computer to any users who log on to a computer affected by this policy. This policy is intended for use in computers in public environments, such as those in classrooms and libraries, for example, where it is appropriate to define user Group Policy based on the computer being used.
When this policy is enabled, Group Policy is applied to users logging on to this computer according to the Group Policy objects defined for the computer. Two options for the processing of this policy are available: merge mode and replace mode. See Group Policy Loopback Support for more information.
|
Group Policy slow link detection
|
Used to define a slow link for the purpose of Group Policy processing and updates. The system considers a connection to be slow if data that is transferred from the domain controller providing a Group Policy update to the computers in this group travels at a slower rate than that specified by this policy. See Group Policy and Network Connections (Slow Links) for more information.
|
Registry policy processing
|
Used to specify when Group Policy registry settings are applied. Affects all policies under the Administrative Templates node as well as policies that store values in the registry.
Two options are available: Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
|
Internet Explorer Maintenance policy processing
|
Used to specify when Internet Explorer Maintenance policy settings are processed. Affects all policy settings that use the Internet Explorer Maintenance extension of Group Policy, such as those under the User Configuration\Windows Settings\Internet Explorer Maintenance node, and overrides any customized settings set by the program implementing Internet Explorer Maintenance policy when it was installed.
Three options are available: Allow processing across a slow network connection, Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
|
Software Installation policy processing
|
Used to specify when Software Installation policy settings are processed. Affects all policy settings that use the Software Installation extension of Group Policy.
Two options are available: Allow processing across a slow network connection, and Process even if the Group Policy objects have not changed.
|
Folder Redirection policy processing
|
Used to specify when Folder Redirection policy settings are processed. Affects all policies that use the Folder Redirection extension of Group Policy, such as those in the User Configuration\Windows Settings\Folder Redirection node.
Two options are available: Allow processing across a slow network connection, and Process even if the Group Policy objects have not changed.
|
Policy
|
Description
|
Scripts policy processing
|
Used to specify when scripts policy settings are processed. Affects all policy settings that use the scripts extensions of Group Policy (for Startup/Shutdown, and Logon/Logoff).
Three options are available: Allow processing across a slow network connection, Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
|
Security policy processing
|
Used to specify when security settings policies are updated.
Two options are available: Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
|
IP Security policy processing
|
Used to specify when IP Security policies are updated.
Three options are available: Allow processing across a slow network connection, Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
|
EFS recovery policy processing
|
Used to specify when encryption policy settings are updated.
Three options are available: Allow processing across a slow network connection, Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
|
Disk Quota policy processing
|
Used to specify when disk quota policies are updated. Affects all policies under the Computer Configuration\Administrative Templates\System\File System\Disk Quotas node. It also overrides any settings set by the program implementing the disk quota policy when it was installed.
The following options are available: Allow processing across a slow network connection, Do not apply during periodic background processing, and Process even if the Group Policy objects have not changed.
|
For more information on these policy settings, double-click the policy in the details pane, and then in the policy Properties dialog box, click the Explain tab.
The following table lists the policy settings for Group Policy for users. These are accessed under the User Configuration\Administrative Templates\System\Group Policy nodes.
Policy
|
Description
|
Group Policy refresh interval for users
|
Used to specify how often Group Policy for users is updated in the background while the computer is in use. Affects the background update rate only for the Group Policy settings in the User Configuration node. Besides background updates, Group Policy for users is always updated when they log on.
By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. Administrators can specify an update rate from 0 to 64,800 minutes (45 days). When 0 minutes is selected, the computer tries to update user Group Policy every 7 seconds. Such updates may interfere with users' work and increase network traffic; therefore, very short update intervals are not appropriate in most cases.
|
Group Policy slow link detection
|
Used to define a slow link for the purpose of Group Policy processing and updates. The system considers a connection to be slow if data that is transferred from the domain controller providing a Group Policy update to the computers in this group travels at a slower rate than that specified by this policy. See Group Policy and Network Connections (Slow Links) for more information.
|
Group Policy domain controller selection
|
Used to specify which domain controller to use for Group Policy.
Three options are available: Use the Primary Domain Controller, Inherit from the Active Directory Snap-ins, Use any available domain controller. See Specifying a Domain Controller for Setting Group Policy for more information.
|
Create new Group Policy Object links disabled by default
|
Used to specify that Group Policy object links be created in a Disabled state. This allows administrators to configure and test such links before setting them to Enabled.
|
Enforce Show Policies Only
|
Used to prevent Group Policy preferences from being viewed. By default, only those policy settings defined in the loaded .Adm files that exist in the approved Group Policy trees are displayed; these settings are referred to as true policies. This means that the Group Policy snap-in does not display any items described in the .Adm file that set registry keys outside of the Group Policy trees; such items are referred to as Group Policy preferences.
For more information, see Distinguishing True Policies from Group Policy Preferences, and Viewing Group Policy Preferences.
|
Policy
|
Description
|
Disable automatic update of ADM files
|
Used to prevent the system from updating the Administrative Templates source files automatically when the Group Policy snap-in is opened. When the Group Policy snap-in is started, the system loads the most recently updated copies of the Administrative Templates source files (.adm) that it finds in the Systemroot\inf directory. The .adm files create the list of policies that are displayed under the Administrative Templates node of the Group Policy snap-in.
When this policy is enabled, the system loads the .adm files used the last time you ran Group Policy. Thereafter, the .adm files must be updated manually.
|
For more information on these policy settings, double-click the policy in the details pane, and then in the policy Properties dialog box, click the Explain tab.
Group Policy and Active Directory Sites
Group Policy objects that are linked to site containers affect all computers in a forest of domains. Site information is replicated and available between all the domain controllers within a domain and all the domains in a forest. Therefore, any Group Policy object that is linked to a site container is applied to all computers in that site, regardless of the domain (in the forest) to which they belong. This has the following implications:
It allows multiple domains (within a forest) to get the same Group Policy object (and included policies), although the Group Policy object only lives on a single domain and must be read from that domain when the affected clients read their site policy.
If child domains are set up across wide area network (WAN) boundaries, the site setup should reflect this. If it does not, the computers in a child domain could be accessing a site Group Policy object across a WAN link.
To manage site GPOs, you need to be either Enterprise Administrator or domain administrator of the forest root domain.
You may want to consider using site-wide GPOs for specifying policy for proxy settings and network-related settings.
Setting up Group Policy on a Site
To define policy settings for a site you must start the Active Directory Site and Services Manager snap-in first.
To start the Active Directory Site and Services Manager tool
From the Start menu, click Programs.
Click Administrative Tools, and then click on Active Directory Site and Services Manager.
Next, add the site(s) you want to use.
To add new sites, use the Active Directory Site and Services Manager
Right-click Sites in the tree in the left pane of the console, and click New.
Click Site, and type in a name for the new site (for example, type NewYork), as shown in the following figure.
If presented with a Default Site Link, you may want to associate this site to a Site Link at this time.
F
igure 9. Creating a new site
You can now move computers from other sites into this site (under the NTDS Settings container).
Following the creation of site(s), you need to create the subnet(s) that are in a site. A site can span multiple subnets, but a subnet cannot span multiple sites.
To create a subnet
Right-click on Subnet.
Click New Subnet.
In the Name text box, type the network address of the subnet (that is, the base address of the subnet in dotted notation) and the number of bits to be masked, counting from the left to the right.
For example, type 164.110.30.0/24, which would translate to 164.110.30.0 with a mask of 255.255.255.0.
Click on the site that you want to associate with that subnet in the box below the Name text box.
Click OK.
After you have defined the site(s) and linked to a subnet(s), you can apply policy to the site by right clicking on the site name, choosing the Properties page, and then selecting the Group Policy tab. The rest of the GPO creation is exactly the same as for a domain or an OU.
The following are some issues surrounding Active Directory sites that may impact Group Policy.
If you create the site(s) prior to DC promotion, your DCs are automatically placed in the correct sites.
If you create the sites(s) after DC promotion, you must manually move the DC to the correct site. Do this by drilling down into the site to the server container. Inside the server container is a list of DCs thought to be in that site. To move a server to a different site, right-click on the server, and choose Move. Then click on the site to which you want to move the server.
Replication between DCs in different sites occurs less frequently than replication between DCs in the same site, and during scheduled periods only. The replication schedule and frequency are properties of the site links that connect sites. The default inter-site replication frequency is three hours. To change it, go to the appropriate site link, into the IP link, and change the replication frequency or schedule as desired. This will have a major impact for policy, as explained next.
For example, assume that you leave replication set to three hours or change it to an even longer period. You then create a new OU in a domain spanning several sites. If the domain controller that the OU was created on is in a different site than the DC that holds the PDC emulator role, then you may have to wait three hours or longer for that new OU to replicate to the PDC. The OU must replicate to the PDC before you can associate a policy with that OU.
If you want to create an OU and associate policy with that OU right away, you can work around inter-site replication latency by creating the OU on the PDC, or on a domain controller in the same site as the PDC.
You can also do this by specifically having Group Policy point to the same DC as the one the Active Directory snap-in tool is using. For information, see the Specifying a Domain Controller for Group Policy Editing by Using Preferences section. Remember that these preferences can be controlled by using a policy setting so you may not be able to do this, or you may only be able to read the policy settings. This means that if the administrator has previously set a policy to specify which DC to use, the DC Options menu item is unavailable since a policy is in place that overrides any setting that the user chooses. See the Specifying a Domain Controller by Using Policy section for more information.
An important issue to keep in mind if you are changing the default option for DC selection is that if two administrators are simultaneously editing the same GPO on different domain controllers, it is possible for the changes written by one administrator to be overwritten by another administrator, depending on replication latency. So care should be taken to ensure this does not happen.
Storage of a GPO Linked to a Site
By default, creating a new GPO for a site stores that GPO in the Forest Root domain.
To create a new GPO in a domain
Select Add (not New) from the Group Policy tab of the site that you want to use.
Select the All tab.
Select the appropriate domain in the Look in drop-down list.
Either right-click and select New, or click the New GPO toolbar button.
Give the new GPO a friendly name.
Select OK.
The GPO will be linked to the current site.
You can also select a GPO specifically created in another domain.
To select a GPO that already exists in another domain
From the Group Policy tab of the appropriate site, select Add.
Select the appropriate domain in the Look in drop-down list.
Select the GPO you want to use.
Click OK.
The GPO will be linked to the current site.
If the GPO does not yet exist, you can create one in the appropriate domain.
|
