Processing Group Policy Objects

Group policies are processed and applied initially when the computer starts up and when the user logs on. After the initial application, group policies are processed and applied at regular intervals. By default, during the refresh interval, the client computer retrieves the Group Policy objects only if the GPO version stored in Active Directory is incremented. You can change this behavior in the Group Policy settings that affect group policies. In addition, you can manually refresh Group Policy settings.

Initial Group Policy Application

GPOs are processed when the computer is started and when the user logs on via the Security dialog box. When a computer boots up, settings from the LGPO are applied, if present. Then, the computer retrieves all the settings from the site, if present. If two or more GPOs are linked to a container, they are processed starting with those of the lowest precedence, which appear lower in the user interface. Domain GPOs are then retrieved and processed, as are OU Group Policy objects (if present), beginning with the root OU and continuing to the computer s parent object.

Settings in Group Policy objects are cumulative; however, if the settings conflict with each other, the policy processed later will override the previous setting. For example, suppose that at the domain level, a software package is assigned and the number of previously cached logons is set to five. Now suppose that a policy at the OU level defines a startup script and sets the number of cached logons to two. The resultant settings will include installation of the software package, application of the startup script, and caching of two logons.

When the user logs on, the GPOs are processed in the same order that the computer-related group policies are applied. If a setting creates a conflict between the computer-related Group Policy applied and the user-related group applied (such as conflicting Task Scheduler Administrative Templates settings), the computer-related Group Policy setting will generally apply.

Group Policy Refresh

Group Policy is processed periodically, according to a defined interval. By default, for nondomain controllers, this occurs every 90 minutes with a randomized offset of up to 30 minutes. For domain controllers, Group Policy is refreshed every 5 minutes. You can change these default values by using a Group Policy setting in Administrative Templates. Setting the value to 0 minutes causes the refresh rate to be set to 7 seconds. While most changes made to GPOs or settings in new GPOs will be enforced during the refresh cycles, the following settings will not be enforced:

Computer-related group policies for Software Installation
User-related group policies for Software Installation
User-related group policies for Folder Redirection

These settings are refreshed the next time that the computer is restarted or the user interactively logs on.

Security settings in a computer-related Group Policy are refreshed every 16 hours, regardless of whether a change in Group Policy is detected by the client.

On-Demand Processing

You can also trigger a background refresh of Group Policy on demand from the client. However, the application of Group Policy cannot be pushed to clients on demand from the server. To refresh Group Policy manually on Windows 2000 computers, use the Secedit command as follows:

Computer-related group policies	Type secedit /refreshpolicy machine_policy /enforce at the command prompt.
User-related group policies	Type secedit /refreshpolicy user_policy /enforce at the command prompt.

To refresh Group Policy manually on Windows XP computers, use the Gpupdate command as follows:

Computer-related group policies	Type gpupdate target:computer /force at the command prompt.
User-related group policies	Type gpupdate target:user /force at the command prompt.
Both computer-related and user-related group policies	Type gpupdate /force at the command prompt.