grouppolicy - Client Side Processing

Client Side Extension (CSE) processing order is calculated by the operating system, which initiates each CSE. During each policy refresh interval, the operating system determines which CSEs should be launched based on several criteria, including the following:

It should be clear from the list above that determining why a CSE is not being launched by Windows is often a complex troubleshooting task.

Processing Order

The CSEs that are to be launched are launched in the order listed in the following registry key (sorted alphabetically by their ID). This is the documented location where each extension must register in order to process its policy and/or planning mode data. This ordering is the same for user and for computer policy, although these two modes operate independently. Given that these two types of configuration operate independently, it is possible and not uncommon for user and computer processing to occur simultaneously.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

Processing is always Sequential

CSEs always process policy in order and one after the other, i.e. sequentially, for user or computer configuration respectively. As a result policy can be "chained" in order to leverage the results of one in another. For example, a PolicyMaker Drive Maps policy may set a drive map to the end-user�s home directory. This drive map can be referenced in Microsoft�s Folder Redirection policy. Later the PolicyMaker Folders policy can create nested folders within the drive, PolicyMaker Files policy can copy a file to the new folder, and PolicyMaker Mail Profiles policy can configure a Personal Folders service to point to that file. Extensions are generally ordered to optimize the potential for policy chaining.

Policy chaining implies that if a specific policy fails subsequent policies that rely on the failed setting may also fail or result in unpredictable behavior. In order to account for this possibility, policy filters may be used to detect the proper conditions for applying chained policies. Note that this situation may exist for unchained policies as well. The native extensions do not provide per-setting filtering, making the handling of such situations more complicated, as filtering must be applied at the GPO level. In many cases the failure and associated results reporting of chained (or unchained) policy is sufficient error handling, although the net result is still that the policies are not applied.

Foreground, Background and Asynchronous Processing

This is possibly the most misunderstood aspect of Group Policy processing. Asynchronous processing does not mean that CSEs are processed out of order or processed concurrently, that GPOs are processed out of order, or that "cached" GPOs are applied. These are never the case (with the exception that user and computer policy may process simultaneously, as noted above). Processing is always ordered and sequential. Asynchronous processing is simply a reference to the asynchronous foreground mode of policy processing. Policy is processed in two basic modes, foreground and background. However, foreground mode is split into synchronous foreground and asynchronous foreground. The mode in which the computer processes policy in the foreground is subject to several factors, but the change in processing is relatively simple.

Asynchronous processing is nothing more than background refresh that starts during the logon or startup process. The essential difference with asynchronous processing is that it does not hold up the logon or startup process, thereby giving the end-user the impression that the process is faster. However, there are important things to consider when allowing Group Policy to process in the foreground asynchronously.

Tip

From the above four situations, it should be clear that it might be best to avoid asynchronous foreground processing altogether. See "Configuring Synchronous Processing".

What's in a Name?

The name asynchronous is meant to indicate that the logon process executes concurrently with Group Policy processing, not that the Group Policy extensions process concurrently with each other. Interestingly the name foreground is a reference to the fact that during such processing the startup/logon splash window is presented and the Group Policy extensions have the opportunity to write status messages to this window. The window is in the "foreground". Some people have taken the fact that there is also a shutdown/logoff window, and that fact that there are shutdown/logoff scripts, to mean that foreground also a reference to shutdown/logoff. Although these windows may actually state that Windows is processing policy, this is in fact not Group Policy processing. No Group Policy processing occurs at shutdown or logoff (what would be the point?). Logoff and shutdown scripts are executed at this time, however such scripts are not Group Policy. Microsoft's Scripts policy only configures the registry to run scripts, but does not run them itself. This also explains why this extension runs in background refresh but scripts do not.

Forced into Foreground

A CSE that registers a requirement for foreground processing forces the computer/user into synchronous foreground processing, on the next foreground event. On other words if any one CSE is to be launched, but requires foreground processing, Winlogon will not launch that CSE, and will set the value ForceRefreshFG=1 into that CSE's section of the registry. If during the next startup/logon event, Winlogon sees this value for any CSE, it will initiate policy processing synchronously and thereby be able to launch the extension(s) that require it. This automatic mode switching leads to the generally undesirable effect of some CSEs applying policy only after a second logon or startup, or even at every other logon or startup.

Configuring Synchronous Processing

Windows 2000 and Windows 2003 Server computers process foreground policy synchronously by default. Windows XP processes foreground policy asynchronously by default. In order to enable synchronous processing (at startup/logon) on Windows XP, you must ensure that the following policy is enabled (and disabled/not configured on Windows 2000/2003):

Computer Configuration\Administrative Templates\System\Logon\
"Always wait for the network at computer startup and logon"

This setting ensures that policy completes before the startup/logon is completed. The change to the default setting on Windows XP was designed to speed up startup and logon processing. However, when performing configurations that must take effect before the end-user has access to his/her desktop, synchronous processing must be enabled.

Ordering of GPOs

When a CSE process its policy, it always process all GPOs that have settings applied. Winlogon gives each CSE a list of GPOs that have policy settings that may apply to the user or computer, depending on the context (i.e. the changed list). A list of GPOs that formerly had, but no longer have, policy settings is also provided (i.e. the deleted list). Technically, it's up to each CSE to decide exactly what to do with these lists. However, standard processing rules dictate that if the CSE is to execute any policy, it must execute all of its policy from each GPO in the order provided to it by Winlogon. This preserves GPO enforcement and other processing issues related to precedence. If only changed GPOs were ever processed independently, then merely changing one GPO would allow a low-level administrator to override higher precedence policy.

Policy Caching

Group Policy objects (GPO) neither download nor cache to network computers. A GPO is a combination of all of the settings in the Group Policy Template (GPT) and the Group Policy Container (GPC). The GPT is file system storage in SYSVOL, and the GPC is Active Directory data. The GPC information is read by Winlogon as it launches CSEs, and the GPT information is read by each individual CSE as necessary. However, given that often one CSE will run, and others will not - even though all may have settings in particular GPO - it should be obvious that downloading the entire GPO to workstations would cause a serious and unnecessary performance hit.

Since GPOs are never downloaded, they cannot be cached. This confusion around this subject is based on several issues. First, the fact that there are aspects of GPO processing that create cached data. For example Winlogon records a historical list of all GPOs that have been processed for all users, including all extensions that processed policy. This list contains no information about individual policy settings. Therefore it could be said that the GPC is cached, however the implications are substantially different than GPO caching.

Some individual extensions also record historical data. This information is used to perform policy removal. Microsoft's Folder Redirection is an example. Without this information it would not be possible to remove settings that were previously applied, since the removal often corresponds to an event such as the deletion of the entire GPO by an administrator, and revertible actions taken by CSEs will vary by each computer and/or user. Other extensions may independently cache data for other reasons.

Offline Behavior

When a computer disconnects from the network, and the domain is no longer accessible, policy is no longer processed. GPOs are stored in domains and without access to those domains, policy cannot be processed. If the user logs on with cached domain credentials, it's the same as if they had merely unplugged the computer from the network while on the domain - policy does not process. However, if the user switches to a local account, the computer/user account will then be subject to Local GPO processing. When on the domain, Local GPO processes first (at the lowest priority). When on a local computer account, Local GPO is the only GPO to process. If the computer is then accessible to a different domain, policy from that new domain is now processed - again following the processing of the same Local GPO.

Comments:

Like wise man said : Save a little money each month and at the end of the year you'll be surprised at how little you have. (Ernest Haskins.)

I'm currently having an issue where some machines who have "Always wait for the network..." enabled, won't process the Software Installation CSE as the software doesn't install (even though their duplex is set correctly). When I visit the machine and login as an admin, run gpupdate, reboot and wait for the "Installing Managed Software...", it doesn't come up. So I immediately hit CTRL + ALT + DEL and restart the system. Then when the foreground processing begins the "Installing Managed Software..." pops up and the software is installed.

Is this behavior due to the ForceRefreshFG=1 not being set during the gpupdate and thus the second reboot is required? If so, could I just set the ForceRefreshFG to 1 and then reboot? Or, since I'm rolling out software to our entire building and would rather not visit each machine that has issues, is there a better way to get around this issue? Or are there other resources I should be reading to better troubleshoot this issue?

Thank you.
- Eric

Regarding, "Group Policy objects (GPO) neither download nor cache to network computers"

While its true that caching of policy does not happen in the strictest sense, I've been playing around recently with this is and its remarkable how many of the native CSEs do "cache" data on the local workstation. For example, Security policy caches template files in c:\windows\security\templates\policies, IE Maintenance caches its files in %userprofile%\application data\Microsoft\IE\Custom Settings and Admin Templates merges all applied registry policy into an ntuser.pol file that is cached per-computer or per-user in the All Users profile or user profile.

So, while this cached data is not used for "offline" GP processing, it does linger on the machine and can sometimes be used to help troubleshoot policy processing issues.

Hi,

In my company, we have win 2000 domain conroller with exchange server. I created one OU and added a new group policy over this. I made changes all the settings we need such as disabling security page from internet options. But, the policy does'nt take any effect on client side. I would really appreciate if you could help me.

Thank You

Sajid.

I apologise for using comments to try to contact a contributer/editor, however there seems to be no way to post questions to specific people regarding any content they have added (is this something that can be changed?).

evoskuil, I am interested in your comments regarding policy chaining and error based filtering but have been unable to find any further information. I would appreciate if you could point me to some public domain info or perhaps answer some questions if you have time.

spiotrowski at (google's answer to hotmail) dot com