|
|
The previous sections of this chapter provide some understanding of Group Policy application and usage. Before we discuss actually implementing GPO, there are a few systemic issues to address regarding Group Policy behavior.
Understanding the basic Group Policy refresh schedule is helpful when changing group policies on your local system. Once a group policy has been changed on a domain controller, the group policies on the local system must be refreshed in order to take effect. Client computers that are not domain controllers receive policy refreshes every 90 minutes plus or minus a random time interval. The random interval helps distribute client requests evenly so that they do not all come in at the same time. To change the interval in a GPO, select Computer Configuration 
Administrative Templates System Group Policy Group Policy refresh interval for computers (Figure 8.30).
Domain controllers refresh group policies more frequently. The default Group Policy setting for DCs, via Computer Configuration Administrative Templates System Group Policy Group Policy refresh interval for domain controllers, sets the refresh interval for every 5 minutes (Figure 8.31). This is why successive examples should be executed on a domain controller.
NOTE
Security policy refresh can be instigated from the command line. The gpudate command has replaced secedit utility. Use secedit for Windows 2000 servers and gpupdate for Windows 2003 servers. These commands are discussed in the appendix; its basic forms are:
secedit /refreshpolicy machine_policy /enforce (for Windows 2000 computer settings) secedit /refreshpolicy machine_policy /enforce (for Windows 2000 user settings) gpupdate /enforce (Windows Server 2003)
Group policies are also refreshed when the system is started. Obviously, shutting down and booting a system could prove troublesome when simply trying to refresh policy settings.
In addition to performing the functions of the primary domain controller (PDC Emulator), the PDC Operations Manager is the default domain controller that handles Group Policy modifications. When the PDC Operations Manager is not available, an error message is displayed and the administrator may select another domain controller to handle changes. When you do this, be sure that all previous Group Policy changes have propagated throughout the domain and that no other administrator is currently making modifications.
 |
|
|
| Top |