Home

General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues

Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts

Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters

Reference
.. Third Party Products
.. KB Articles
.. Community

Terms of Use
Trademarks
Privacy Statement

Applying GPOs

This page describes issues related to the actual application of policy settings to client machines. For a detailed description of the factors associated with the application of policy, please refer to the Client Side Processing page.

When does Group Policy actually apply?

  • Startup. Computer policies are applied at startup; shortly after the computer is turned on.
  • Logon. User policies are applied at or shortly after logon.
  • Refresh. The Group Policy engine refreshes policies on member machines at a randomized period of between 90 and 120 minutes. Both user and computer policies have their own random interval. On domain controllers the computer policy refresh occurs every 5 mins. These intervals can all be configured.

What happens when Group Policy applies?

  • Calling Extensions. Once the Group Policy engine decides a refresh is needed, it queries each GPO to identify which CSEs should be called. Each CSE is then called with a list of relevant GPOs.
  • Affected Components. In the context of the refresh itself, components can be passive or active. When passive, they are unaware that new policy has been applied but will detect this the next time the logic associated with the policy settings is invoked. A more common (and preferred) approach is the "active" component, which responds to Group Policy notifications to detect the refresh and, as appropriate, takes action at that point.

Further factors that impact the manner in which policy is applied include precedence, loopback, enforce/block inheritence, slow links and WMI filters.

Network Protocol Requirements

To successfully apply Group Policy a client needs to be able to contact a domain controller over several protocols: SMB, RPC and LDAP. If any of these protocols are unavailable or blocked between the client and the domain controller then policy will not refresh. Note that in the case of a cross-domain logon (machine in one domain, user account in another) these protocols may be necessary between the client and TWO domain controllers (one from the machines domain and another from the clients domain).

Comments:

From Rex [217.10.20.129] - 10/26/05 2:38 AM

I'd like to see some explanation of the role of "precedence"; that's to say the order in which GPO's are shown in GPMC. For example; should domain default policy come first or last?

Last Modified 12/5/05 8:51 PM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register