Policy Processing Optimizations


The Group Policy engine is responsible for processing GPOs that apply the current computer or user. However, if the Group Policy engine reprocessed all GPOs that applied each time a processing cycle occurred, regardless of whether any changes had been made to those applicable GPOs, that would waste network and system resources. As a result, Microsoft built some optimizations into the Group Policy engine. Chief among those optimizations is the notion that during each policy processing cycle, no policy processing will actually occur if nothing has changed within the environment. Change can be a tricky thing, however. What constitutes a change is not always clear or obvious. It is more than just a change to a GPO—primarily because several things can affect which GPOs apply to a given computer or user.

The following types of changes will cause Group Policy processing to reprocess GPOs during a given cycle:

■ A change is made to the settings within a GPO processed by the user or computer

■ The list of GPOs applied to the computer or user changes (in other words, a new GPO is added or a previously processed one is removed)

■ A change is made to the user or computer’s security group membership, which may effect security group filtering

■ A change is made to a WMI filter (one is added to a GPO or one is removed) processed by the computer or user

Group Policy is not processed during each foreground and background cycle if nothing has changed, but there is an exception to that rule. Namely, security policy processing will refresh its settings every 16 hours by default, even if nothing has changed in the Group Policy infrastructure. The reason for this is a good one. If a user intentionally or inadvertently is able to make a change to her local system’s security policy, having Group Policy automatically reapply that policy from Active Directory every 16 hours can be useful.

Now that we have laid the foundation for how Group Policy is processed, let us look in more detail at some of the changes to Group Policy management that have been introduced in Windows Server 2008.