Group Policy

Previous Topic Next Topic

Computer Policy for Client-side Extensions

A computer policy exists for each of the Group Policy client-side extensions. Each policy includes a maximum of three options. Some of the client-side extensions include only two computer policy options; in those cases, this is because the third option is not appropriate for that extension. The computer policy options are as follows:

Allow processing across a slow network connection.   When a client-side extension registers itself with the operating system, it sets values in the registry, specifying whether it should be called when policy is applied across a slow link. Some extensions move large amounts of data, so processing across a slow link can hurt performance. Installing a large application across a 28.8 Kbps modem line is impractical.

Do not apply during periodic background processing.   Computer policy is applied at startup, as well as periodically in the background, approximately every 90 minutes. User policy is applied at user logon, then every 90 minutes. Some extensions process policy only initially, not periodically, because processing that took place in the midst of a user's session would be disruptive. For example, with Software Installation, applications are installed or upgraded during the initial run and not in the background. If it were done in the background, a hapless user might be running an application even while having it uninstalled. Or the application might have a shared component that is in use by another application, preventing the installation from completing successfully. The Do Not Apply During Periodic Background Processing option gives you the ability to override this logic and force the extension to either run or not run in the background.

Process Even If The Group Policy Objects Have Not Changed.   By default, if the Group Policy objects on the server have not changed, it is not necessary to continually reapply them to the client, because the client should already have all the settings. However, users might be able to change some settings if they are administrators of their computers. In this case, it might make sense to reapply these settings when the user logs on or during the periodic refresh cycle to get the computer back to the desired status.

For example, if you have used Group Policy to define a specific set of security options for a file, and the user with administrative privileges logs on and changes it, then, you might want to set the policy to process Group Policy even if the Group Policy objects have not changed. This makes sure that security is reapplied periodically and at every startup. This also applies to applications. Group Policy installs an application, but the end user can remove the application or delete the icon. The Process Even If The Group Policy Objects Have Not Changed option gives you the ability to restore the application at the next user logon session.

Table 22.5 lists the client-side extensions that include only two computer policy options, as well as the reason for this.

Table 22.5 Client-side Extension and Policy Options

Client-side extension Missing policy checkbox Reason
Administrative Templates Slow link (Allow processing across a slow network connection) Registry policy is always applied because it controls the other client-side extensions.
Security Settings Slow link (Allow processing across a slow network connection) To ensure that security settings are in effect, they must always be applied, even across a slow link.
Folder Redirection Background processing (Do not apply during periodic background processing) User might be using the folders or their contents.
Software Installation Background processing (Do not apply during periodic background processing) It would be disconcerting to the user to have an application uninstall while it is open.

The processing of policy is also affected by issues that are not governed by specific policy settings and not apparent in the user interface. The include the following:

Messages and Events   When Group Policy is applied, a WM_SETTINGCHANGE message is sent, and an event is signaled. Applications that can receive window messages can use it to respond to a Group Policy change. Those applications that do not have a window to receive the message (as with most services) can wait for the event.

On-Demand Processing   Group Policy can also be applied on demand. To do this, applications can call the RefreshPolicy function, which allows applications to request a policy refresh. The administrator can refresh policy from the command line as follows:

  1. Click Start, and then click Run.
  2. To refresh policies under the Computer Configuration node, type the following, and then click OK: secedit /refreshpolicy MACHINE_POLICY [/enforce]
  3. To refresh policies under the User Configuration node, type the following, and then click OK: secedit /refreshpolicy USER_POLICY [/enforce]

The optional "/enforce" switch causes policy for the Security and EFS extensions to refresh whether or not there is a policy change. For other extensions it has no effect.

Time Limit for Processing of Group Policy   There is a time limit of 60 minutes for all the client-side extensions to finish processing policy. An errant client-side extension that is not finished after 60 minutes will be stopped and the associated policy settings will not be processed. There is no Group Policy setting to change the default time limit.

© 1985-2000 Microsoft Corporation. All rights reserved.