GPO Version Numbers on the Client
When a GPO applies to a
computer, information regarding the GPO is stored on the computer. The
client must know the version numbers of both the GPT and the GPC so that
information is stored along with the other information about the
applied GPOs. To see the current state of the GPOs that are affecting
the computer, you would access the registry at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group
Policy\State, as shown in Figure 1.
This registry
location contains two sections. One is related to the computer and is
named Machine. The other is user related and is listed by the user’s
security identifier (SID). Both sections have a GPO-List node, which
stores information about the applied GPOs.
In Figure 5-3,
notice the entry for the listed GPO named Version. This number
represents the GPT and GPC. The first four digits of the number
represent the version number of the GPT, and the last four digits
represent the version number of the GPC. When the Group Policy refresh
occurs, these values are compared to the current values of the GPT and
GPC. If they differ, Group Policy is applied. If they are the same, no
changes have occurred to the GPO in Active Directory, so no update is
necessary.
GPO Version Numbers on the Domain Controller
The client compares the
GPO version numbers stored locally with those stored on the domain
controller for each GPO. The domain controller stores the version number
for each GPO in two locations. The first is the in GPT, which is under
the appropriate GUID for the GPO, located under the
%systemroot%\SYSVOL\sysvol\<domainname>\Policies
folder. The version number is stored in a file called GPT.ini. The
second location is in Active Directory, which is referred to as the GPC.
Here, the version number is stored as an attribute of the GPO object.
Both
of these version numbers are referenced during Group Policy refreshes.
The client compares the local version number to these and updates policy
based on whether the numbers are different or the same.
NLA Refresh in Windows Vista and Windows Server 2008
Network Location
Awareness (NLA) is the replacement technology that helps Group Policy
identify slow links. Internet Control Message Protocol (ICMP) (the
protocol that supports PING)
is no longer used within Group Policy because NLA is more reliable and
accurate. NLA ensures that all computers are aware and can respond more
precisely to changes in network conditions and available network
resources.
NLA provides many benefits, including the following:
Computer start-up
times are faster and more efficient. NLA accurately determines the state
of the network and processes Group Policy accordingly. If the adapter
is disabled or disconnected, NLA causes Group Policy to shorten the wait
time for the network.
If
the computer has been offline or the network has not been available for
some time, NLA helps the computer recognize when a domain controller
becomes available. This helps with virtual private network (VPN)
sessions, recovering from hibernation (and standby), exiting quarantine,
and laptop docking.
NLA
provides more control over how the computer responds to Group Policy,
the network state, and the boot process for GPO application.
When
a computer is disconnected from the corporate network but is still
running, Group Policy refreshes will fail. These failures will continue
until a domain controller is available and the network connection is
established. When a VPN connection is established, NLA helps the
computer detect the availability of a domain controller. Because the
last Group Policy refresh cycle failed, Group Policy will initiate a
background refresh, updating both the computer and user sections of the
GPOs that should apply. NLA makes this happen efficiently, without
requiring the computer to reboot or the user to log off for the computer
to update the changes over the VPN.
