Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)

Using Group Policy to Affect Group Policy

At times, you might want to change the behavior of Group Policy. Amazingly, you actually use Group Policy settings to change the behavior of Group Policy! Several Group Policy settings appear under both the User and Computer nodes; however, you must set the policy settings in each section independently.

Affecting the User Settings of Group Policy

The Group Policy settings that affect the User node appear under User Configuration ˜ Administrative Templates ˜ System ˜ Group Policy. Remember that user accounts must be subject to the site, domain, or OU where these GPOs are linked in order to be affected. Most of these policy settings are valid for Windows 2000, Windows XP machines, and Windows 2003 servers, although some are explicitly designed and will operate only on Windows XP Professional and Windows 2003 servers.

Here's a list of the policy settings that affect the user side of Group Policy:

Group Policy Refresh Interval for Users

This setting changes the default User node background refresh rate of 90 minutes with a 030 minute positive randomizer to almost any number of refresh and randomizer minutes you choose. Choose a smaller number for the background refresh to speed up Group Policy happen faster on your machines, or choose a larger number to quell the traffic that a Group Policy refresh takes across your network. There is a similar refresh interval for computers, which is on an alternate clock with its own settings. A setting of 0 is equal to 7 seconds. Set to 0 only in the test lab.

Group Policy Slow Link Detection

You can change the default definition of fast connectivity from 500Kbps to any speed you like. Recall that certain aspects of Group Policy are not applied to machines that are determined to be coming in over slow links. This setting specifies what constitutes a slow link for the User node. There is an identically named policy setting located under the Computer node (explored later in this chapter) also needs to be set to define what is slow for the Computer node. Preferably set these to the same number.

Group Policy Domain Controller Selection

GPOs are written to the PDC emulator by default. When users ( generally Domain Administrators or OU administrators) are affected by this setting, they are allowed to create new GPOs on Domain Controllers other than the PDC emulator. (See Chapter 4 for more information on this setting and how and why to use it.)

Create New Group Policy Object Links Disabled by Default

When users (generally Domain Administrators or OU administrators) are affected by this setting, the GPOs they create will be disabled by default. This ensures that users and computers are not hitting their refresh intervals and downloading half-finished GPOs that you are in the process of creating. Enable the GPOs when finished, and they will download during their next background refresh cycle.

Default Name for Group Policy Objects

If a user has been assigned the rights to create GPOs via membership in the Group Policy Creator Owners group and has also been assigned the rights to link GPOs to OUs within Active Directory, the default name created for GPOs is "New Group Policy Object." You might want all GPOs created at the domain level to have one name, perhaps "AppliesToDomain-GPO", and all GPOs created at the Human Resources OU level (and all child levels) to have another name, maybe "AppliestoHR-GPO." Again, in order for this policy to work, the user's account with the rights to create GPOs must be affected by the policy.

Enforce Show Policies Only

When users (generally Domain Administrators or OU Administrators) are affected by this setting, the "Only show policy settings that can be fully managed" setting (explored in Chapter 4) is forced to be enabled. This prevents the importation of old-style NT 4 ADM templates, which have the unfortunate side effect of "tattooing" the Registry until they are explicitly removed. (See Chapter 4 for more information on using NT 4style ADM templates with Windows 2003.)

Turn Off Automatic Update of ADM Files

ADM template files are updated by service packs . The default behavior is to check the launching point, that is, the \windows\INF folder, to see if the ADM template has yet been updated. This check for an update occurs, by default, every time you double-click the Administrative Templates section of any GPO as if you were going to modify it. However, if you enable this setting, you're saying to ignore the normal update process and simply keep on using the ADM template you initially used. In other words, you're telling the system you'd prefer to keep the initial ADM template regardless of whether a newer one is available. (See Chapter 5 for critical information on updating ADM templates when service packs are available for Windows XP or Windows 2003.)

Disallow Interactive Users from Generating Resultant Set of Policy Data

Users affected by this setting cannot use the "Group Policy Modeling" or "Group Policy Results" tasks in the GPMC. Enabling this setting locks down a possible entry point into the system. That is, it prevents unauthorized users from determining the current security settings on the box and developing attack strategies.

Affecting the Computer Settings of Group Policy

The Group Policy settings that affect the Computer node appear under Computer Configuration ˜ Administrative Templates ˜ System ˜ Group Policy. Once computers are affected by these policy settings, they change the processing behavior of Group Policy. Remember that the computer accounts must be subject to the site, domain, or OU where these GPOs are linked in order to be affected.

Turn Off Background Refresh of Group Policy

When this setting is enabled, the affected computer downloads the latest GPOs for both the user and the computer, according to the background refresh intervalbut it doesn't apply them. The GPOs are applied when the user logs off but before the next user logs on. This is helpful in situations in which you want to guarantee that a user's experience stays the same throughout the session.

Group Policy Refresh Interval for Computers

This setting changes the default Computer node background refresh rate of 90 minutes with a 30-minute randomizer to almost any number of refresh and randomizer minutes you choose. Choose a smaller number for the background refresh to speed up Group Policy on your machines, or choose a larger number to quell the traffic a Group Policy refresh takes across your network. A similar refresh interval for the Users node is on a completely separate and unrelated timing rate and randomizer. A setting of 0 equals 7 seconds. Set to 0 only in the test lab.

Group Policy Refresh Interval for Domain Controllers

Recall that Domain Controllers are updated regarding Group Policy changes within 5 minutes. You can close or widen that gap as you see fit. The closer the gap, the more network chatter. Widen the gap, and the security settings will be inconsistent until the interval is hit. A setting of 0 equals 7 seconds. Set to 0 only in the test lab.

User Group Policy Loopback Processing Mode

We'll explore this setting with an example in the next section.

Allow Cross-Forest User Policy and Roaming User Profiles

This policy is valid only in cross-forest trust scenarios. I'll describe how these work and how this policy works later in this chapter.

Group Policy Slow Link Detection

You can change the default definition of fast connectivity from 500Kbps to any speed you like. Recall that certain aspects of Group Policy are not applied to those machines that are deemed to be coming in over slow links. Independently, an identically named policy setting exists under the User node (explored earlier) also needs to be set to define what is slow for the User node. Preferably, set these to the same number.

Turn Off Resultant Set of Policy Logging

As you'll see in Chapter 4, users on Windows XP machines can launch the Resultant Set of Policy (RSoP) snap-in. Enabling this policy doesn't prevent its launch but, for all intents and purposes, disables its use. This policy disables the use for the currently logged-on user (known as the interactive user) as well as anyone trying to get the results using the remote features of the RSoP snap in.

Remove Users Ability to Invoke Machine Policy Refresh

By default, mere-mortal users can perform their own background refreshes using GPUpdate, as described in the Initiating a Manual Background Refresh for Windows XP and Windows 2003" section. However, you might not want users to perform their own GPUpdate . I can think of only one reason to disable this setting: to prevent users from sucking up bandwidth on Domain Controllers by continually running GPUpdate . Other than that, I can't imagine why you would want to prevent them from being able to get the latest GPO settings if they were so inclined. Perhaps one user is performing a denial of service (DoS) attack on your Domain Controllers by continually requesting Group Policybut even that's a stretch.

Even if this policy is enabled, local administrators can still force a GPUpdate . But, again, GPUpdate only works when run locally on the machine needing the update.

Disallow Interactive Users from Generating Resultant Set of Policy Data

This policy is similar to the "Turn off Resultant Set of Policy logging" setting, but affects only the user on the console. Enabling this setting might be useful if you don't want the interactive user to have the ability to generate RSoP data, but still allow administrators to get the RSoP remotely. Again, RSoP and its related functions are explored in Chapter 4.

Registry Policy Processing

This setting affects how your policy settings in the Administrative Templates subtrees react (and, generally, any other policy that affects the Registry). Once this policy setting is enabled, you have two other options:

• Do Not Apply During Periodic Background Processing Typically, Administrative Templates settings are refreshed every 90 minutes or so. However, if you enable this setting, you're telling the client not ever to refresh the computer side Administrative Templates in the GPOs are meant for it after the logon. You might choose to prevent background refresh for Administrative Templates for two reasons:

  • When the background refresh occurs, the screen may flicker for a second as the system reapplies the changed GPOs (with their policy settings) and instructs Explorer.exe to refresh the desktop. This could be a slight distraction for the user every 90 minutes or so.

  • You might choose to disable background processing so that users' experiences with the desktop and applications stay consistent for the entire length of their logon. Having settings suddenly change while the user is logged on could be confusing, but my advice is to leave this setting alone unless you're seriously impacted by the background processing affecting your users' experience.

• Process Even If the Group Policy Objects Have Not Changed If this setting is selected, the system will update and reapply the policy settings in this category even if the underlying GPO has not changed when the background refresh interval occurs. Recall that this type of processing is meant to clean up should an administrator have nefariously gone around our backs and modified a local setting.

Internet Explorer Maintenance Policy Processing

Once enabled, this policy setting has three potential options:

• Allow Processing Across a Slow Network Connection Check this check box to allow Internet Explorer Maintenance settings to download when logging on over slow links. Enabling this could cause your users to experience a longer logon time, but adhere to your latest Internet Explorer wishes.

• Do Not Apply During Periodic Background Processing If this option is selected, the latest Internet Explorer settings in Active Directory GPOs will not be downloaded or applied during the background refresh.

• Process Even If the Group Policy Objects Have Not Changed If this option is selected, it updates and reapplies the policy settings in this category even if the underlying GPO has not changed. Recall that this type of processing is meant to clean up should a user or an administrator have nefariously gone around our backs and modified a local setting.

Software Installation Policy Processing

Once enabled, this policy setting has two potential options:

• Allow Processing Across a Slow Network Connection As I stated, by default, software deployment offers are not displayed to users connecting over slow links. This is a good thing; allowing users to click the newly available icons to begin the download and installation of new software over a 56K dial-up line can be tortuous. Use this setting to change this behavior.

  Warning

  If you have already distributed software via Group Policy, and an offer has been accepted by a client computer (but perhaps not all pieces of the application have been loaded), setting this selection will likely not help, and your users may experience a long delay in running their application over a slow link. For more information on how to best distribute software to clients who use slow links, see Chapter 10.

• Process Even If the Group Policy Objects Have Not Changed For Software Installation and Maintenance, I cannot find any difference if this option is selected or not, though Microsoft has implied it might correct some actions should the software become damaged. Since software deployment offers are only displayed upon logon or reboot ( otherwise known as foreground policy processing), in my testing, this setting seems not to have any outward effect.

Folder Redirection Policy Processing

Once enabled, this policy setting has two potential options:

• Allow Processing Across a Slow Network Connection Recall that the Folder Redirection policy is changed only at logon time. Chances are you wouldn't want dialed -in users to experience that new change. Rather, you would want to wait until they are on your LAN. If you want to torture your users and allow them to accept the changed policy anyway, use this setting to change this behavior.

• Process Even If the Group Policy Objects Have Not Changed I cannot find any difference if this setting is selected or not, though Microsoft has implied it might correct some folder-redirections woes should the user name get renamed .

Scripts Policy Processing

Once enabled, this policy setting has three potential options:

• Allow Processing Across a Slow Network Connection Recall that, by default, new or changed startup, shutdown, logon, and logoff scripts are not downloaded over slow networks. Change this to allow the download over slow links. The actual running of the scripts is a different process, as discussed earlier in the "Processing and Running Scripts Over Slow Links" sidebar.

• Do Not Apply During Periodic Background Processing This option will allow the newest script instructions to be downloaded. See the sidebar "Processing and Running Scripts Over Slow Links" earlier in the chapter.

• Process Even If the GPOs Have Not Changed This option will allow the newest script instructions to be downloaded. See the sidebar "Processing and Running Scripts Over Slow Links."

Security Policy Processing

Once enabled, this policy setting has two potential options:

• Do Not Apply During Periodic Background Processing Recall that the security settings are refreshed on the machines every 16 hours, whether they need it or not. Checking this option will turn off the check every 16 hours. It is recommended to leave this as is. However, you might want to consider enabling this setting for servers with high numbers of transactions that require all the processing power they can muster.

• Process Even If the GPOs Have Not Changed If this option is selected, nothing changes. After 16 hours, this policy category is always refreshed.

IP Security Policy Processing

Once enabled, this policy setting has three potential options:

• Allow Processing Across a Slow Network Connection When selected, this setting does nothing. IP Security settings are always downloaded, regardless of whether the computer is connected over a slow network. So, you might be asking yourself, what happens when you select this check box, which is shown in Figure 3.3? Answer: nothingit's a bug in the interface. To repeat: IP Security is always processed , regardless of the link speed.

  Figure 3.3: The "Allow processing across a slow network connection" setting is not used in Windows 2000, Windows XP, or Windows 2003 for IP Security or EFS settings.

  Note	IP Security policies act slightly different from other policy setting categories. IP Security policy settings are not additive. For IP Security, the last applied policy wins.

• Do Not Apply During Periodic Background Processing If this option is selected, the latest IP Security settings in Active Directory GPOs will not be downloaded or applied during the background refresh.

• Process Even If the Group Policy Objects Have Not Changed If this option is selected, it updates and reapplies the policy settings in this category even if the underlying GPO has not changed. Recall that this type of processing is meant to clean up should a user or an administrator have nefariously gone around our backs and modified a local setting.

EFS Recovery Policy Processing

Once enabled, this policy setting has three potential options:

• Allow Processing Across a Slow Network Connection When this option is selected, it does nothing. EFS recovery settings are always downloaded, regardless of whether the computer is connected over a slow network.

Like IP Security, the EFS recovery settings are always downloadedeven over slow networks. Once again, this is the same bug as shown in Figure 3.3 earlier in this chapter. To repeat, EFS recovery policy is always processed, regardless of link speed.

Do Not Apply During Periodic Background Processing If this option is selected, the latest EFS recovery settings in Active Directory GPOs are not downloaded or applied during the background refresh.

Process Even If the Group Policy Objects Have Not Changed If this option is selected, it updates and reapplies the policy settings in this category even if the underlying GPO has not changed. Recall that this type of processing is meant to clean up should a user or an administrator have nefariously gone around our backs and modified a local setting.

Wireless Policy Processing

If this policy setting is enabled, it has three potential options:

• Allow Processing Across a Slow Network Connection Check this option to allow the latest wireless policy settings to download when the user is logging on over slow links. Enabling this could cause your users to experience a longer logon time.

• Do Not Apply During Periodic Background Processing If this option is selected, the latest wireless policy settings will not be downloaded or applied during the background refresh.

• Process Even If the Group Policy Objects Have Not Changed If this option is selected, it updates and reapplies the policy settings in this category even if the underlying GPO has not changed. Recall that this type of processing is meant to clean up should a user or an administrator have nefariously gone around our backs and modified a local setting.

Disk Quota Policy Processing

If this policy setting is enabled, it has three potential options:

• Allow Processing Across a Slow Network Connection Check this option to allow the latest disk quota policy settings to download and apply when the user logs on over slow links. Enabling this could cause your users to experience a longer logon time.

• Do Not Apply During Periodic Background Processing If this option is selected, the latest disk quota policy settings will not be downloaded or applied during the background refresh.

• Process Even If the Group Policy Objects Have Not Changed If selected, this option updates and reapplies the policy settings in this category even if the underlying GPO has not changed. Recall that this type of processing is meant to clean up should a user or an administrator have nefariously gone around our backs and modified a local setting.

Always Use Local ADM Files for Group Policy Object Editor

ADM files are the underlying language that creates policy settings. I'll talk more about ADM files and how to best use them in Chapter 5. However, for reference, if a computer is affected by this policy setting, the Group Policy Object Editor attempts to show the text within the ADM files from your local %windir%\inf of directory (usually c:\windows\inf .) If the ADM file is different on the Domain Controller than on your local c:\windows\inf directory, you could end up seeing different settings and helptext than are really inside the Domain Controller.

Indeed, if this policy is enabled, you might now see totally different policy settings than were originally placed in the GPO. However, you might want to enable this policy setting if you know that you will always be using one specific Windows XP management workstation as described in Chapter 5. Stay tuned for Chapter 5 to see how to use this function.