Final Thoughts

Group Policy doesn't just pick and choose when it wants to apply. Rather, a specific set of rules is followed when it comes time to process. Understanding these rules is paramount in helping you pre-troubleshoot Group Policy problems. Many other things can affect the Group Policy engine, including loopback policy processing and how users connect over slow links.

Group Policy processing with a cross-forest trust can be tricky because each operating system and service pack has its own way of doing things; but hopefully the text, examples, and Table 3.1 can help you with any problems.

Last, try to get away from any NT 4 System Policy. Remember that they tattoo and are difficult to fully scrub out of your environment.

Here are a few things to keep in mind:

• Remember initial policy processing. Windows 2000 and Windows 2003 machines process all GPOs when the computer starts up or when the user logs on. Remember, there is no ongoing initial policy processing for Windows XP machines by default. That is, by default, XP only performs initial policy processing when a user has never logged in on the machine before (or if the computer has just joined the domain.)

• Remember background refresh policy processing (member servers). For Windows 2000, Windows 2003, and Windows XP member machines, this happens some time after the user is logged on (usually 90 minutes or so).

• Remember background refresh policy for Windows XP. By default, Windows XP is unique and processes GPOs only in the background (asynchronously). Some features, such as Software Distribution, Folder Redirection, and other functions take two reboots or logons to take effect. Advanced Folder Redirection takes three logons to take effect. This is because these special functions can be processed only in the foreground. You can turn off this feature as described earlier in this chapter.

• Remember background refresh policy processing (Domain Controllers). Windows 2000 and Windows 2003 Domain Controllers receive a background refresh every 5 minutes (after replication has occurred).

• Security policy processing occurs every 16 hours For all operating systems, every 16 hours, only the security settings within all GPOs are reprocessed and applied, regardless of whether security settings have changed. This ensures that all security functions in all GPOs are reprocessed if someone has gone around the security on the system manually.

• Leverage "Process Even If the Group Policy Objects Have Not Changed." You can tell many other Group Policy categories (such as Administrative Templates) to also refresh at the background refresh interval. This will make those categories more secure and less susceptible to attack.

• How Group Policy reacts in cross-domain scenarios depends on the operating system. Refer to the "Cross-Forest Trust Client Matrix" section earlier in this chapter for information on how specific operating systems react during cross-forest trust scenarios.

• Be careful and test when using NT 4 and Active Directory with Group Policy. If you're still migrating from NT 4 to Windows 2000 or Windows 2003, you'll need to understand the reaction when user and/or computer accounts still have a foot in NT 4. With that in mind, test, test, test before you deploy.