Group Policy Processing differences ...

[M. Eteum]

Is there any differences on how Windows process Group Policy within OU
and using Security Filtering method?

I've notice that when I applied a Group Policy to set of machines in a
sub-OU, all the machines within that sub-OU detect the Group Policy
within 1 hour or so WITHOUT REBOOTING, by means of GPRESULT.

Then, instead of using the above method, that is applying a Group Policy
on a sub-OU, I created a Global Security Group which contains the same
machine(and different set of machines) and apply them on the OU level.
I've waited overnight and the Group Policy was not applied to all the
machine. It did it after I reboot all the machine. Is this a normal
behaviour? Why it's different and what's the logic behind it?


Thanks

 

[Darren Mar-Elia \(MVP\)]

There are no differences between GP processing based on whether you are
using linking or security filters to control who gets a GPO. In either case,
a workstation or member server will process GPOs in the background every 90
minutes (+- a randomizer). They will essentially build their list of GPOs
that need to be processed based on both linking and security filtering at
the same time. So, you should see no difference. The only differences that
arise are Client Side Extension specific. That is, some CSEs only process in
the foreground (e.g. Software Installation, Folder Redirection). I suspect
something else is going on for you in this case.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp

 

[M. Eteum]

There are no differences between GP processing based on whether you are
using linking or security filters to control who gets a GPO. In either case,
a workstation or member server will process GPOs in the background every 90
minutes (+- a randomizer). They will essentially build their list of GPOs
that need to be processed based on both linking and security filtering at
the same time. So, you should see no difference. The only differences that
arise are Client Side Extension specific. That is, some CSEs only process in
the foreground (e.g. Software Installation, Folder Redirection). I suspect
something else is going on for you in this case.

Thanks Darren. I've been struggling to find out what causes this to
happen which it did not happen if I directly linking the GPO to an OU.

What I've been trying to do is to use security filter to control Windows
Updates GPO. Is the Windows Automatic Updates Extension is the exception?

Thanks

 

[Darren Mar-Elia \(MVP\)]

Thanks Darren. I've been struggling to find out what causes this to happen
which it did not happen if I directly linking the GPO to an OU.

What I've been trying to do is to use security filter to control Windows
Updates GPO. Is the Windows Automatic Updates Extension is the exception?

Thanks

The WAU is just another ADM template and should not be any different. In
fact, the determination of which GPOs need to be processed is actually
accomplished *before* any CSEs are called. So it is not a CSE specific
thing. That being said, the interesting thing to check would be whether or
not the registry entry underlying the WAU setting is actually getting
applied. What you may also want to do is enable verbose userenv logging and
see what is happening when those security filtered GPOs are applied.


--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
Just Released! The new Windows Group Policy Guide from Microsoft Press!!!
Check it out at http://www.microsoft.com/mspress/books/8763.asp