Windows Server 2008 and Windows Vista : Group Policy Processing - Version Checking During Updates

9/19/2012 6:44:06 PM

GPO Version Numbers on the Client

When a GPO applies to a computer, information regarding the GPO is stored on the computer. The client must know the version numbers of both the GPT and the GPC so that information is stored along with the other information about the applied GPOs. To see the current state of the GPOs that are affecting the computer, you would access the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State, as shown in Figure 1.

Figure 1. Computers store information about the GPOs that are affecting them, including the version number.

This registry location contains two sections. One is related to the computer and is named Machine. The other is user related and is listed by the user’s security identifier (SID). Both sections have a GPO-List node, which stores information about the applied GPOs.

In Figure 5-3, notice the entry for the listed GPO named Version. This number represents the GPT and GPC. The first four digits of the number represent the version number of the GPT, and the last four digits represent the version number of the GPC. When the Group Policy refresh occurs, these values are compared to the current values of the GPT and GPC. If they differ, Group Policy is applied. If they are the same, no changes have occurred to the GPO in Active Directory, so no update is necessary.

GPO Version Numbers on the Domain Controller

The client compares the GPO version numbers stored locally with those stored on the domain controller for each GPO. The domain controller stores the version number for each GPO in two locations. The first is the in GPT, which is under the appropriate GUID for the GPO, located under the %systemroot%\SYSVOL\sysvol\<domainname>\Policies folder. The version number is stored in a file called GPT.ini. The second location is in Active Directory, which is referred to as the GPC. Here, the version number is stored as an attribute of the GPO object.

Both of these version numbers are referenced during Group Policy refreshes. The client compares the local version number to these and updates policy based on whether the numbers are different or the same.

NLA Refresh in Windows Vista and Windows Server 2008

Network Location Awareness (NLA) is the replacement technology that helps Group Policy identify slow links. Internet Control Message Protocol (ICMP) (the protocol that supports PING) is no longer used within Group Policy because NLA is more reliable and accurate. NLA ensures that all computers are aware and can respond more precisely to changes in network conditions and available network resources.

NLA provides many benefits, including the following:

  • Computer start-up times are faster and more efficient. NLA accurately determines the state of the network and processes Group Policy accordingly. If the adapter is disabled or disconnected, NLA causes Group Policy to shorten the wait time for the network.

  • If the computer has been offline or the network has not been available for some time, NLA helps the computer recognize when a domain controller becomes available. This helps with virtual private network (VPN) sessions, recovering from hibernation (and standby), exiting quarantine, and laptop docking.

  • NLA provides more control over how the computer responds to Group Policy, the network state, and the boot process for GPO application.

How It Works: VPN Connections Using NLA

When a computer is disconnected from the corporate network but is still running, Group Policy refreshes will fail. These failures will continue until a domain controller is available and the network connection is established. When a VPN connection is established, NLA helps the computer detect the availability of a domain controller. Because the last Group Policy refresh cycle failed, Group Policy will initiate a background refresh, updating both the computer and user sections of the GPOs that should apply. NLA makes this happen efficiently, without requiring the computer to reboot or the user to log off for the computer to update the changes over the VPN.

  •  Windows 7 : Syncing with Network Files (part 2) - Dealing with Conflict
  •  Windows 7 : Syncing with Network Files (part 1) - Using Sync Center, Settings for offline files
  •  Windows Vista : Deploying Applications - Choosing a Deployment Strategy
  •  Windows Vista : Deploying Applications - Planning Deployment
  •  Windows Server 2003 : Active Directory - Understanding Directory Replication (part 3) - Spanning Trees and Site Links
  •  Windows Server 2003 : Active Directory - Understanding Directory Replication (part 2) - Update Sequence Numbers
  •  Windows Server 2003 : Active Directory - Understanding Directory Replication (part 1) - Time Synchronization, Replication Topologies, Handling Update Conflicts
  •  Windows Server 2003 : Active Directory - Understanding Operations Master Roles
  •  Windows Vista : Customizing Windows PE Boot Images (part 3) - Working with OSCDImg, Working with vLite
  •  Windows Vista : Customizing Windows PE Boot Images (part 2) - Working with an ImageX GUI, Working with PEImg
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us