Fine-tune Group Policy

In "Controlling Group Policy, Part 1," November 2000, I explained how Windows 2000 uses Group Policy Objects (GPOs) and the sequence in which Win2K applies them. But you can't truly control Group Policy until you understand the processing options that let you fine-tune your policies. Because you can link a GPO to sites, domains, or organizational units (OUs), you can control how Win2K applies Group Policy at several levels. You can use GPO-level processing options to control how Win2K applies a GPO regardless of the sites, domains, or OUs to which the GPO is linked. You can use link-level processing options to control how Win2K applies a GPO within a particular site, domain, or OU to which the GPO is linked. Other settings let you tailor how Win2K applies Group Policy at the computer or user level.

GPO-Level Processing Options
As I explained in "Controlling Group Policy, Part 1," a GPO has settings that affect a Win2K computer's configuration and a user's profile. The GPO stores computer settings in a Computer Configuration subfolder and stores user settings in a User Configuration subfolder. If you create a GPO that contains only computer settings, you can disable the GPO's User Configuration portion to reduce users' logon time. Likewise, if you define only user settings, you can disable the GPO's Computer Configuration portion to reduce system boot-up time. To disable either portion of a GPO, go to Administrative Tools, Active Directory Users and Computers. Right-click the domain or OU to which the GPO is linked, click Properties, and select the Group Policy tab. Select the appropriate GPO, and click Properties. Go to the General tab, which Figure 1 shows, and select either the Disable Computer Configuration settings check box or the Disable User Configuration settings check box. These settings are both GPO-level settings.

When you disable a GPO's Computer Configuration or User Configuration portion, Win2K disables that portion in every site, domain, or OU to which the GPO is linked. Therefore, before you make this type of GPO-level change, you need to determine how the change will affect those sites, domains, and OUs. To see a complete list of these linked elements, open the GPO's Properties dialog box and go to the Links tab, which Figure 2 shows. Select a domain from the Domain drop-down list and click Find Now. Win2K will search the specified domain and display each site and OU to which the GPO links. (The domain link will also show up on the list if the GPO is linked at the domain level.) Because you can link a GPO to multiple domains, you need to search all the domains that appear in the drop-down list.

One way to fine-tune a GPO's application is through a GPO's ACL, which defines both who has permission to maintain the GPO and which computers and users Win2K applies the GPO to. To access the ACL, open the GPO's Properties dialog box and go to the Security tab, which Figure 3 shows. When a Win2K computer that is a member of a Win2K domain boots up, the computer logs on to Active Directory (AD) and uses its corresponding computer account in AD to look through its domain, sites, and OUs and determine which GPOs it needs to apply. When applying Group Policy to a computer, Win2K determines whether the computer account has permissions to read and to apply Group Policy for each GPO. If not, Win2K ignores the GPO for that computer. User accounts also require both Read and Apply Group Policy access; Win2K goes through the same determination process each time a user logs on and whenever Win2K reapplies Group Policy.

As Figure 3 shows, Authenticated Users (i.e., all computer and user accounts) have both permissions by default. When you want to disable a GPO's application to specific computers or users in an OU, you can open the GPO's ACL and add an access-control entry that denies Apply Group Policy access for the groups or accounts that you want to exempt. To view a GPO, you need Read access; to edit a GPO, you need Write access.

Link-Level Processing Options
An important difference exists between a GPO-level processing option and a GPO-link-level processing option. Whereas GPO-level processing options apply to all sites, domains, or OUs to which the GPO is linked, link-level processing options apply to only the immediate site, domain, or OU to which the GPO is linked. (A difference also exists between deleting a GPO and deleting a link to the GPO. When you select a GPO from the Group Policy tab and click Delete, Win2K asks whether you want to delete the entire GPO or only the link. When you delete the GPO, it disappears from every site, domain, or OU to which it is linked. When you delete the link, the other sites, domains, or OUs to which the GPO is linked remain unaffected.) You can choose among three link-level processing options.

Block Policy inheritance. Administrators use this option to isolate domains or OUs from group policies defined for a site or higher-level OU. When you select the Block Policy inheritance check box on the Group Policy tab, you effectively erect a gate above that domain or OU that blocks GPOs from trickling down. When you block policy inheritance at the domain level, Win2K won't apply any site-linked GPOs. When you block policy inheritance at the OU level, Win2K won't apply domain- or higher-OU-linked GPOs for computers or users in that OU. However, remember that Win2K always applies the computer's local GPO regardless of the Block Policy inheritance setting.

No Override. Administrators typically enable this setting at a domain level to enforce corporate password and account policies. The No Override setting overrides all lower-level Block Policy inheritance settings. For example, when you enable No Override for a site-level GPO link, Win2K applies that GPO to all computers in the site, regardless of the domain's or OU's Block Policy inheritance setting. When you enable No Override for a domain- or OU-level GPO link, Win2K applies that GPO to all computers and users, regardless of any lower OUs' Block Policy inheritance settings. To enable or disable the No Override setting, select the appropriate GPO from the Group Policy tab and click Options. Select the No Override check box, which Figure 4 shows.

Disabled. Disabling a GPO link is useful when you need to temporarily eliminate the GPO's effect on configuration (e.g., while debugging policy or temporarily suspending a restriction). When you disable a GPO link to a site, domain, or OU, Win2K won't apply the GPO to that site, domain, or OU. By disabling rather than deleting the link, you can more easily reinstate the GPO. To change the Disabled setting for a GPO link, select the appropriate GPO from the Group Policy tab and click Options. Select the Disabled check box, which Figure 4 shows.

System- and User-Level Processing Options
Another set of processing options exists as settings within each GPO; you define these settings at the system or user level. As I explained in "Controlling Group Policy, Part 1," each GPO contains a Computer Configuration subfolder and a User Configuration subfolder; in other words, each GPO has a Group Policy folder under \computer configuration\administrative templates\system and another folder under \user configuration\administrative templates\system, as Figure 5 shows. These folders contain settings that control how Win2K applies Group Policy to every computer and user that links to that GPO.

Changing the Computer Configuration settings for one GPO can affect a system's application of all GPOs. For example, suppose you go to the Marketing OU, create a new GPO, and select the Disable background refresh of Group Policy system-level setting. The next time a computer in that OU boots up or refreshes, the system will encounter the new GPO and change the setting in the local system configuration. After making the change, the system will disable background refresh of every GPO, not only of the GPO for which you enabled the setting.

Disable background refresh of Group Policy. Win2K periodically reapplies Group Policy after the initial system boot-up or user logon. The Disable background refresh of Group Policy setting disables this reapplication while a user is logged on to the system. The setting applies to policies under both the Computer Configuration and User Configuration portions of a GPO.

Group Policy refresh interval for computers. This setting controls the frequency at which Win2K refreshes Group Policy for Win2K Professional workstations and Win2K member servers (not for domain controllers). You can use this setting to specify two thresholds: the number of minutes between refreshes and an offset that Win2K uses to prevent every computer from simultaneously rereading Group Policy from the domain controller. Win2K computes a random value between zero and the offset, then adds this value to the first threshold after each refresh to determine when the next refresh will occur. By default, Win2K refreshes every 90 minutes and specifies a maximum offset of 30 minutes. The setting applies to policies under the Computer Configuration portion of a GPO.

Group Policy refresh interval for users. Similar to the Group Policy refresh interval for computers setting, Group Policy refresh interval for users controls how frequently Win2K refreshes User Configuration. The setting applies to policies under the User Configuration portion of a GPO.

Apply Group Policy for computers asynchronously during startup. By default, a Win2K system won't present the logon prompt until Win2K finishes applying Group Policy. When you enable the Apply Group Policy for computers asynchronously during startup setting, Win2K lets users log on before Group Policy application is complete. The system displays the message Applying computer settings until application is complete. Although enabling this setting doesn't usually cause problems, some policies might not take effect until the next time Win2K applies or reapplies Group Policy. This setting applies to policies under the Computer Configuration portion of a GPO.

Apply Group Policy for users asynchronously during logon. By default, after a user enters a username and password, Win2K doesn't display the user's desktop until it finishes applying Group Policy's User Configuration settings. When you enable the Apply Group Policy for users asynchronously during logon setting, users can access the Start menu and desktop before the application is complete. Some policies might not take effect until the next logon or until Win2K refreshes Group Policy. This setting applies to policies under the User Configuration portion of a GPO.

Unless users complain about excessive startup or logon times, I recommend you leave both asynchronous-application settings disabled so that you can maintain predictable Group Policy application.

User Group Policy loopback processing mode. When Win2K applies the User Configuration portion of Group Policy, Win2K determines the applicable GPOs based on the user's domain and OUs and applies settings from the User Configuration portion of those GPOs. In other words, Win2K applies User Configuration settings based on the user account's location in AD (i.e., who the user is), not based on the computer account's location (i.e., which computer the user is logging on to). However, you might decide to make an exception to this rule. For example, perhaps you have public-use kiosks for which you want to define specific User Configuration settings regardless of who logs on. In such a situation, you need to create an OU to contain the kiosks, then create an OU-linked GPO and enable the GPO's User Group Policy loopback processing mode setting. When you enable this setting, you must select one of two option modes. Replace mode tells Win2K to ignore the user's User Configuration settings (i.e., the User Configuration settings based on the user account's location in AD) and instead apply the system's User Configuration settings (i.e., the User Configuration settings based on the system's location in AD). Merge mode tells Win2K to first apply the user's User Configuration settings, then apply the system's User Configuration settings. Whenever a conflict occurs, the system's settings take precedence.

Group Policy slow link detection. This setting lets you specify the threshold (in Kbps) for slow network links. The default threshold is 500Kbps. Win2K uses this threshold to determine when to defer Group Policy application.

Deferring Group Policy Application
Win2K divides Group Policy into nine processing categories: Registry, Internet Explorer (IE) Maintenance, Software Installation, Folder Redirection, Scripts, Security, IP Security (IPSec), Encrypting File System (EFS) recovery, and Disk Quota. Each category has a corresponding Group Policy option (e.g., Registry policy processing) that resides in \computer configuration\administrativetemplates\system\group policy, as Figure 5 shows.

You can defer a category's Group Policy application to prevent slowdowns on the workstation while Win2K applies Group Policy. You can also defer application to prevent sudden changes that can occur on a user's desktop when you implement Desktop or Start Menu & Taskbar restrictions (e.g., disable the Screen Saver tab in Control Panel, Display; remove the Map Network Drive option in Windows Explorer) while the user is logged on. (These restrictions reside in \user configuration\administrative templates.) To control a category, right-click the corresponding option under \computerconfiguration\administrative templates\system\group policy and select Properties. Select Enabled, then select one or more of the following scenario check boxes.

Allow processing across a slow network connection. Select this option to permit processing while the computer is connected to the domain controller on a slow network link (according to the definition you set using the Group Policy slow link detection setting). Notice that to defer processing, you must clear the check box.

Do not apply during periodic background processing. Select this option to defer processing during background refreshes while a user is logged on. This option defers refreshes in specific categories, whereas Disable background refresh of Group Policy defers refreshes in all categories.

Process even if the Group Policy objects have not changed. This option lets you control whether Win2K applies certain categories even though the policies haven't changed. For example, you can use this option to tell Win2K to regularly reapply a category in case users have disabled restrictions that you implemented through Group Policy. To defer application, clear the check box.

Table 1 lists each category and its corresponding Group Policy option, shows the location of the policies for which the category controls application, and identifies which of the three processing situations you can defer each category in.

One-Stop Shopping
Group Policy provides one-stop shopping for computer and user profile configuration. To keep a handle on Group Policy complications, you need to minimize your use of settings such as No Override and Block Policy inheritance and customize GPO ACLs only when absolutely necessary. To keep Group Policy simple, use options that are visible on the GPO Properties, Group Policy tab. To control who receives which policies, use OUs, rather than GPO permission restrictions; resort to restrictions only for troublesome exceptions that would otherwise require you to completely redesign your OU hierarchy.