Friday, June 20, 2008

Windows Server 2008 Refreshing computer policies

Changes to policies can take some time for modifications to propagate across domain controllers within a domain and finally to the objects for which they're destined. Policies are refreshed on a client when the computer is turned on, a user logs on, an application requests a policy refresh, a user requests a policy refresh, or the interval between refreshes has elapsed. The latter part of that sentence is key: there's a GPO you can enable that will allow you to customize the interval at which computer and domain controller policies refresh. It's best to make this change at either a domain or OU level for consistency.

To enable the policy refresh interval, follow these steps (I'll assume you're changing this on a domain-wide basis):

1. Within the Group Policy Management Console, find the Default Domain Policy in the left pane.

2. Right-click on Default Domain Policy, and choose Edit.

3. The Group Policy Object Editor window appears. In the Computer Configuration tree, navigate through Policies, Administrative Templates, and System.

4. Click Group Policy.

5. In the right pane, double-click the setting Group Policy refresh interval for computers, or Group Policy refresh interval for domain controllers, whichever is applicable.

6. Select Enabled, and then enter an interval for the refresh. Be sure to make this a healthy interval; otherwise, you will degrade your network's performance with constant traffic updating policies across the domain. For smaller networks, 15 minutes should be an acceptable timeframe. Allow 30 to 45 minutes for larger networks.

7. Click OK.

You also can also manually force a policy refresh from the command line on client computers with the gpupdate command. To refresh all parts of a policy, issue this command:

gpupdate /force

To refresh just the Computer Configuration node of the policy:

gpupdate /target:computer /force

To refresh just the User Configuration node of the policy:

gpupdate /target:user /force

To manually refresh GPOs on Windows 2000, the syntax is a little different. To refresh only the computer policy:

secedit /refreshpolicy machine_policy

To refresh only the user policy:

secedit /refreshpolicy user_policy

You can force updates of objects, even if they haven't been modified since the last update, by adding the /enforce switch at the end of the command. Then Windows will enforce all policies, regardless of whether the actual policy objects have changed. This is useful if you are having network difficulties and want to ensure that every computer has a fresh application of policy, or if you have a large contingent of mobile users that connect to the network briefly and unpredictably.

For either clients or domain controllers, exercise extreme caution when modifying the default refresh interval. On large networks, altering the refresh interval can cause hellish amounts of traffic to be unleashed over your network—a costly move that's unnecessary for 95% of sites with domains installed. Although clients will pull down new policies only if those policies have changed, the increased traffic results from clients just contacting a domain controller every x minutes to get new policies and updates. There's very little reason to alter this value. Here's a good rule of thumb: if you don't know of a good justification to increase the refresh interval, it isn't necessary for your site.

If you want, you can also elect to disable background policy refreshing completely. You might do this if you're having trouble tracking down an intermittent GPO problem, or if you don't want to have a GP applied during the middle of a client session because it might disrupt an application. Again, it's best to do this on a domain-wide or OU-wide basis for consistency and best performance.

To disable background processing, follow these steps:

1. Within the Group Policy Management Console, find the Default Domain Policy in the left pane.

2. Right-click on Default Domain Policy, and choose Edit.

3. The Group Policy Object Editor screen appears. In the Computer Configuration tree, navigate through Policies, Administrative Templates, and System.

4. Click Group Policy.

5. In the right pane, double-click the setting "Turn off background refresh of Group Policy."

6. Select Enabled.

7. Click OK.

In some situations, you might want a policy setting to be applied, even if no setting has changed. This goes against default GPO behavior because usually, only changes trigger a policy refresh and reapplication. For example, a user might change some Internet Explorer settings within his session. You might want that change to be reversed, but Windows won't trigger a refresh because the policy itself hasn't changed. To prevent this, you can use the configuration option called "Process even if the Group Policy Object has not changed." (This is like the /enforce switch described a bit earlier.) You've probably caught on by now that it's best to do this on a domain-wide or OU-wide basis for consistency and best performance.

To do so, follow these steps:

1. Within the Group Policy Management Console, find the Default Domain Policy in the left pane.

2. Right-click on the Default Domain Policy GPO and choose Edit.

3. In the Computer Configuration tree, navigate through Policies, Administrative Templates, System, and Group Policy.

4. You'll see a list of options ending in "policy processing," such as "Scripts policy processing" and "Wireless policy processing." These GPOs exist to allow you to tweak the functionality of these types of policies. Open the appropriate policy up (which one is best for you depends on the type of policy that you're trying to trigger to change) to view its Properties.

5. Click the Enabled button.

6. Finally, check the "Process even if the Group Policy Object has not changed" checkbox.

Policy settings related to computer security follow a refresh policy that is a bit different from normal GPOs. The client computer still refreshes security policy settings even if the GPO has not been changed or modified. There are Registry settings whose values indicate the maximum acceptable time a user or client computer can wait before reapplying GPOs, regardless of whether they are changed. They are as follows:

To change the refresh interval for computers, set HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime. The type is REG_DWORD and the valid range for data (in minutes) is 0 to 64,800.

To change the offset interval for computers, set HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTimeOffset. The type is REG_DWORD and the valid range for data (in minutes) is 0 to 1,440.

To change the domain controller refresh interval, set HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTimeDC. The type is REG_DWORD and the valid range for data (in minutes) is 0 to 64,800.

To change the domain controller offset interval, set HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTimeOffsetDC. The type is REG_DWORD and the valid range for data (in minutes) is 0 to 1,440.

To change the refresh interval for users, set HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime. The type is REG_DWORD and the valid range for data (in minutes) is 0 to 64,800.

To change the offset interval for users, set HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTime. The type is REG_DWORD and the valid range for data (in minutes) is 0 to 1,440.

No comments: