Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Audit: Audit The Access Of Global System Objects
Audit: Audit of the Use Of Backup And Restore Privilege
Audit: Shut Down System Immediately If Unable To Log Security Audits
Domain Controller: Allow Server Operators To Schedule Tasks
Microsoft Network Client: Digitally Sign Communications (Always)
Microsoft Network Client: Digitally Sign Communications (If Server Agrees)
Microsoft Network Client: Send Unencrypted Password To Third-Party SMB Servers
Microsoft Network Server: Amount Of Idle Time Required Before Suspending Session
Microsoft Network Server: Digitally Sign Communications (Always)
Network Access: Named Pipes That Can Be Accessed Anonymously
Network Access: Restrict Anonymous Access To Named Pipes And Shares
Network Access: Shares That Can Be Accessed Anonymously
Network Security: LDAP Client Signing Requirements
User Account Control: Run All Administrators In Admin Approval Mode
Shutdown: Clear Virtual Memory Pagefile
System Cryptography: Force Strong Key Protection For User Keys Stored On The Computer
System Objects: Require Case Insensitivity For Non-Windows Subsystems
System Objects: Strengthen Default Permissions Of Internal System Objects (e.g., Symbolic Links)
System Settings: Optional Subsystems
Computer Configuration\Policies\Administrative Templates\Windows Components
Desktop Window Manager\Do Not Allow Desktop Composition
Desktop Window Manager\Do Not Allow Flip3D Invocation
Desktop Window Manager\Do Not Allow Window Animations
Desktop Window Manager\Window Frame Coloring\Do Not Allow Color Changes
Desktop Window Manager\Window Frame Coloring\Specify A Default Color
Terminal Services\Terminal Server\TS Session Broker\Join TS Session Broker
Terminal Services\TS Licensing\License Server Security Group
Windows Logon Options\Report When Logon Server Was Not Available During User Logon
Windows Media Player\Prevent Video Smoothing
Shutdown Options\Turn Off Legacy Remote Shutdown Interface
Windows Defender\Turn Off Windows Defender
Computer Configuration\Policies\Administrative Templates\System
User Configuration\Policies\Administrative Templates\Windows Components
Windows Media Player\Networking\Configure MMS Proxy
Windows Media Player\Networking\Configure Network Buffering
Desktop Window Manager\Do Not Allow Window Animations
Desktop Window Manager\Do Not Allow Desktop Composition
Desktop Window Manager\Do Not Allow Flip3D Invocation
Desktop Window Manager\Window Frame Coloring\Specify A Default Color
Desktop Window Manager\Window Frame Coloring\Do Not Allow Color Changes
Windows Media Player\User Interface\Do Not Show Anchor
Windows Media Player\Networking\Hide Network Tab
Windows Logon Options\Report When Logon Server Was Not Available During User Logon
Windows Logon Options\Set Action To Take When Logon Hours Expire
Tablet PC\Touch Input\Turn Off Tablet PC Touch Input
Backup\Client\Turn Off Restore Functionality
User Configuration\Policies\Administrative Templates\System
In
addition to these GPO settings, specific client-side extensions (CSEs)
also adhere to foreground-only policy processing. The GPO CSEs that
apply only with foreground policy processing include the following:
Deployed Printer Connections
Folder Redirection
Group Policy Drive Maps
Group Policy Printers
Internet Explorer Branding
Scripts (Policy Processes)
Microsoft Offline Files
Software Installation
Note
You
can also trigger a background refresh of Group Policy manually by using
the GPUpdate utility. GPUpdate emulates a background refresh. |
Asynchronous vs. Synchronous Policy Processing
In addition to
foreground and background processing, you must also consider whether
Group Policy processing should occur asynchronously or synchronously. In
general terms, these options determine whether the user must wait for
all of the policies to process before receiving their desktops. The two
options are described as follows:
Asynchronous processing Windows does not wait for the network stack to initialize before starting and the letting the user receive the desktop.
Synchronous processing
Windows waits for the network stack to initialize, and all Group Policy
foreground processing occurs before the user receives the desktop.
To control whether a computer will run asynchronously or synchronously, you need only modify the following GPO setting:
Computer Configuration\Policies\Administrative Templates\System\Logon\Always Wait For The Network At Computer Startup And Logon
Configuring this
setting as Enabled forces the computer to process GPO settings
synchronously. Disabling this setting allows the computer to process GPO
settings asynchronously.
When considering
asynchronous and synchronous policy processing in conjunction with
foreground and background policy processing, you must also consider the
cycles of policy processing to understand how each setting will process.
For example, Software Installation can
apply only during a foreground refresh. If the computer does not wait
for the software to install before giving the user access to the desktop
(asynchronous processing), the software will not be installed until the
computer reboots or the user logs off and back on. This is because all
foreground policy processing ceases to work after the user receives the
desktop.
Table 5 lists all of these policy processing parameters and indicates how each CSE will behave.
Table 5. CSE Processing Matrix
| CSE | Runs during Foreground Synchronous | Runs during Foreground Asynchronous | Runs during Background Asynchronous |
|---|
| Wireless Group Policy | Yes | Yes | Yes |
| Group Policy Environment | Yes | Yes | Yes |
| Group Policy Local Users And Groups | Yes | Yes | Yes |
| Group Policy Device Settings | Yes | Yes | Yes |
| Folder Redirection | Yes | No | No |
| Microsoft Disk Quota | Yes | Yes | Yes |
| Group Policy Network Options | Yes | Yes | Yes |
| QoS Packet Scheduler | Yes | Yes | Yes |
| Scripts | Yes | No | No |
| Internet Explorer Zonemapping | Yes | Yes | Yes |
| Group Policy Drive Maps | Yes | Yes | No |
| Group Policy Folders | Yes | Yes | Yes |
| Group Policy Network Shares | Yes | Yes | Yes |
| Group Policy Files | Yes | Yes | Yes |
| Group Policy Data Sources | Yes | Yes | Yes |
| Group Policy Ini Files | Yes | Yes | Yes |
| Windows Search Group Policy | Yes | Yes | Yes |
| Security | Yes | Yes | Yes |
| Deployed Printer Connections | Yes | No | No |
| Group Policy Services | Yes | Yes | Yes |
| Internet Explorer Branding | Yes | No | No |
| Group Policy Folder Options | Yes | Yes | Yes |
| Group Policy Scheduled Tasks | Yes | Yes | Yes |
| Group Policy Registry | Yes | Yes | Yes |
| EFS Recovery | Yes | Yes | Yes |
| 802.3 Group Policy | Yes | Yes | Yes |
| Group Policy Printers | Yes | No | No |
| Group Policy Shortcuts | Yes | Yes | Yes |
| Microsoft Offline Files | Yes | Yes | Yes |
| Software Installation | Yes | No | No |
| IP Security | Yes | Yes | Yes |
| Group Policy Internet Settings | Yes | Yes | Yes |
| Group Policy Start Menu Settings | Yes | Yes | Yes |
| Group Policy Regional Options | Yes | Yes | Yes |
| Group Policy Power Options | Yes | Yes | Yes |
| Group Policy Applications | Yes | Yes | Yes |
| Enterprise QoS | Yes | No | No |
Note
Security
policy can be applied to a computer during background refresh, but some
security policy settings may not take effect without a reboot.
Additionally, some of the CSEs listed in Table 5-7
apply only to the user or only to the computer, so background
asynchronous processing might mean something different depending on the
circumstances. For example, if no user is logged on to a computer, no
user-specific background processing occurs. |
Using GPUpdate
The standard
background and foreground refreshing of Group Policy is built in to the
system and occurs without any configuration or setup. However, there may
be times when the refresh interval is not frequent enough for settings
to be applied; in such cases, you need another option for applying
settings faster, preferably in real time.
The solution is the
GPUpdate utility. GPUpdate is a standard command-line utility on all
computers running at least Windows XP Professional.
The GPUpdate utility
manually performs a background Group Policy processing refresh. You must
run the utility from the computer that you want to refresh; it does not
work remotely. By default, the utility refreshes both the user and
computer portions of the GPO. You can, however, target just one of the
two sections of the GPO by adding the /Target switch and indicating User
or Computer. The other switch options are useful, but in most cases you
can use GPUpdate without any switches. All of the switches and their
uses are listed in Table 6.
Table 6. GPUpdate Utility Switches
| Switch | Description of Use |
|---|
| /Target: {Computer | User} | Specifies
that only User or only Computer policy settings are refreshed. By
default, both User and Computer policy settings are refreshed. |
| /Force | Reapplies all policy settings. By default, only policy settings that have changed are applied. |
| /Wait: {value} | Sets
the number of seconds to wait for policy processing to finish. The
default is 600 seconds. The value ‘0’ means not to wait. The value ‘-1’
means to wait indefinitely. When the time limit is exceeded, the command
prompt returns, but policy processing continues. |
| /Logoff | Causes
a logoff after the Group Policy settings have been refreshed. This is
required for those Group Policy client-side extensions that do not
process policy on a background refresh cycle but do process policy when a
user logs on. Examples include user-targeted Software Installation and
Folder Redirection. This option has no effect if there are no extensions
called that require a logoff. |
| /Boot | Causes
a reboot after the Group Policy settings are refreshed. This is
required for those Group Policy client-side extensions that do not
process policy on a background refresh cycle but do process policy at
computer start-up. Examples include computer-targeted Software
Installation. This option has no effect if there are no extensions
called that require a reboot. |
| /Synch | Causes
the next foreground policy application to be done synchronously.
Foreground policy applications occur at computer boot and user logon.
You can specify this for the user, computer, or both by using the
/Target parameter. The /Force and /Wait parameters will be ignored if
specified. |
Note
The
GPUpdate utility cannot perform a foreground refresh. The only two
options that do this are rebooting for computer settings and logging off
and back on for user settings. The /Force switch does not perform a
foreground refresh. |
The security CSE
behaves somewhat differently from the other CSEs. If a GPO has not
changed since the last time it was processed, settings will not reapply
at the next refresh interval. If the settings in the registry have been
modified manually on the target computer, those settings will remain
until the GPO is modified. For security settings, this could leave the
computer in a nonsecure state.
Because of this
possibility, the security CSE processes security settings every 16 hours
on nondomain controllers and every five minutes on domain controllers,
regardless of any changes that have occurred in the GPO for security
settings.
This interval of 16 hours
can be modified, up or down, depending on needs of the computer being
controlled. The value in the registry that modifies this interval can be
found at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\
GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval
The
default value is 960 (hex 0x3c0), which is in minutes. This value
should not be modified unless there is a valid business reason. In
general, it is a best practice to leave the value in the default state;
you could, however, modify a highly secure group of computers to have a
smaller value. Reducing this value for a large number of computers is
not recommended, because the processing and network overhead could
become a problem.
Note
If
you want to modify this value on all computers on the network, you have
three options. You can create a custom .adm template, you can create a
custom ADMX/ADML file, or you can use the Registry Preference to modify
the registry setting. |
