1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

policy propagation confusions

Discussion in 'General Microsoft Certifications' started by supernova, Feb 25, 2009.

  1. supernova

    supernova Gigabyte Poster

    1,422
    21
    80
    I read somewhere that "policy propagation" is carried out every 8hrs

    However, I also read that Group Policy refreshes every 90 minutes for the computer and user

    I thought that these were referring to the same thing could anyone please explain?
     
    Certifications: Loads
    WIP: Lots
  2. Simon-MCT

    Simon-MCT Bit Poster

    18
    3
    27
    I'm not sure where you got that 8 hrs from. Group Policy Objects are stored in AD and are therefore subject to AD replication times between DC's. It's possible it's referring to times between sites, but the default for that is 3 hrs (180 mins). Between DC's in the same site it's 5 mins.

    The desktop clients will check back with the DC that authenticated them every 90 minutes plus a random offset of up to 30 mins to see if the Group Policy that was applied at that time has changed, though there is a glitch even with this.

    The glitch is this: The system uses "Fast Refresh" - if GPO1 with settings A, B and C was there at 9am, it will have been applied to the desktop PC at 9am.
    If the Admin adds setting D to GPO1 at 10am, at 10.30am (90 mins after 9am) the desktop PC says "Oh, I got GPO1 at 9am, I don't need to do anything" and setting D is NOT applied.

    It WILL be applied if the PC reboots (if it's a computer setting) or if the User logs off & on again (if it's a User setting)

    The general workaround is, if Setting D must be applied "before lunchtime" as your boss tells you.....

    Add setting D to GPO1, but also create GPO1-Temp with Setting D in it, at 10am. When Group Policy refreshes at 10.30am, it sees GPO1-Temp which it didn't get at 9am, and applies it.

    You need to leave GPO1-Temp on your system for 24 hrs or so, by which time most users will have logged off or rebooted, to get the setting D from GPO1 as normal.

    If you have all your desktops do a "gpupdate /force" that will negate having to do any of that, but your users don't usually have access to the Run command or the Admin rights to do this, do they???:D
     
    Certifications: MCSE:Sec;MCITP; MCTS; MCT; A+,Sec+
    WIP: CCNA
  3. supernova

    supernova Gigabyte Poster

    1,422
    21
    80
    Thanks for answering,

    I see this 8 hours pop up in many texts when auditing and importing security templates into GPO's comes up

    By default the policy propagation is carried out every 8hrs

    However, I first came across it on a transcender flashcard for the MCDST 271, the flashcards have no references or explanations like the tests :-(

    Importing a Security Template to a GPO
    http://windows-cert.net/MS.Press-MCSE.Training.Kit-M/ch21f.htm

    Active Directory Security Solutions -
    http://www.toggit.com/217/217tguide.asp

    Implement an audit policy:
    http://www.reload.pt/ad.htm

    Implement an audit policy:
    http://www.scribd.com/doc/6799171/Mcse-Exam-70217-Ads-Full-Access

    Problem is i don't know what the difference is between the two in my original post, i thought it was the same.
     
    Certifications: Loads
    WIP: Lots
  4. Simon-MCT

    Simon-MCT Bit Poster

    18
    3
    27
    Hi Andi,

    After browsing through some of those links I see where the confusion is arising. Let me try to put it in context for you.

    The "Security Configuration and Analysis" tool can be used to apply a Security Template to a particular PC or server. That PC or server does not have to be in a domain or have access to AD, it could be in a workgroup, for example, or be a member server.

    The settings that can be applied are only the ones under the "Security" node of Local Policy.

    These will be refreshed every 8 hours and the settings in the template reapplied, unless you force it to happen before that by either using the "Sec Conf & analysis" tool - "Configure Computer" or secedit from the command prompt.


    As soon as you involve AD and Group Policy - e.g importing the template into a GPO, then that 8 hours timing goes out of the window and normal Group Policy refresh rates apply, as I mentioned in my prior post.

    Hope this helps.

    Edit: The word "Policy" doesn't always refer exclusively to Group Policy and Group Policy Objects!
     
    Certifications: MCSE:Sec;MCITP; MCTS; MCT; A+,Sec+
    WIP: CCNA
  5. supernova

    supernova Gigabyte Poster

    1,422
    21
    80
    Nice one Simon

    Thanks for that.
     
    Certifications: Loads
    WIP: Lots

Share This Page

Loading...