donderdag 19 juni 2008 10:24
Kurt Roggen
Understanding Group Policy (and Preferences) Refresh cycles – Part 1
With Group Policies (and also Group Policy Preferences), settings are divided into two categories: Computer Configuration and User Configuration.
Computer Configuration settings are applied during startup of the operating system. User Configuration settings are applied during user logon on to a computer.
Once policy settings are applied at startup/logon, the settings are refreshed automatically to ensure they are up-to-date. During Group Policy refresh, the client computer contacts the closest available
domain controller which provides a list of all the policy objects that apply to the computer and user at different levels (site, domain, OUs). The domain controller does this regardless of whether the version numbers on all the summarized policy objects have changed. By default, the computer processes the policy objects only if the version number of at least one of the policy objects has changed. If any one of the related policies has changed, all of the policies have to be processed again because of inheritance and the interdependencies within policies.
You can also force a refresh manually using gpupdate /force. This will process all policies again, even if their version number has not changed.
By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. So, minimum refresh cycle is 90 minutes, maximum refresh cycle is 2 hours (120 min) and assures the load is spread when machines/users contact their domain controllers at the refresh cycle. This policy covers both workstations and member servers and excludes domain controllers.
You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
By default, domain controllers Group Policy is updated every 5 minutes.
You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
Refresh intervals for computers and domain controllers
By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the user tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
Both User and Computer refresh intervals are typically different. For example, the computer refresh could take place within 95 minutes and the user refresh could take place within 112 minutes.
Refresh intervals for users
Security settings are a exception to the processing rule. By default, these settings are refreshed every 16 hours (960 minutes) regardless of whether policy objects contain changes.
A random offset of up to 30 minutes is added to reduce impact on domain controllers and the network during updates (making the effective refresh window 960 to 990 minutes).
Security settings contain Registry permissions, File System permissions, Restricted Groups, Eventlog, System Services, …
Also, if the client computer detects that it is connecting over a slow network connection, it informs the domain controller and only the Security Settings and Administrative Templates are transferred over the network, which means that by default only the security settings are applied when a computer is connected over a slow link.
The way slow link detection (read: threshold) works, is configurable through Group Policy. However, security settings are always enforced even when a slow network connection is detected.
Group Policy Security CSE (Client Side Extension) | 
Group Policy Scripts CSE (Client Side Extension) | 
Group Policy Preference Folder Options CSE |
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line.
Obviously, updates across slow connections can cause significant delays.
With Group Policy Preferences, you are able to go a step further and to configure the priority of the background refresh.
Filed under: GroupPolicies