Loading ...If Group Policy settings don’t take effect immediately
By Michael Pietroforte | 5 Comments | Permalink | Trackback | Previous | NextThe February issue of WindowsITPro has an interesting article about Group Policy annoyances (subscribers only). I think the most common problem is Group Policy settings not taking effect immediately. You change a setting and reboot the machine, but the change doesn’t seem to show immediately.
The cause for this problem could be that Group Policy Objects (GPOs) are processed asynchronously, by default. This means that processing occurs while Windows is still working on presenting the logon screen.
There are some Group Policy settings that need exclusive access to the computer or user environment. The most prominent ones are Software Installation and Folder Redirection. The latter might become important when you work with roaming profiles and start deploying Vista. Check out this post about Windows XP and Vista interoperability of roaming user profiles for more information.
There is a setting that tells Windows to process Group Policy synchronously. You can find it under Computer Configuration\Administrative Templates\System\Logon. You have to enable the policy “Always wait for the network at computer startup and logon“. This way, Group Policy will be processed synchronously. Note that this will increase the time needed to boot-up and logon.
Leave a Comment | 
Subscribe RSS
| 
Newsletter
I use ‘gpupdate /force’ and it seems to work (except for those changes that require reboot anyway). Great for customer machines where you are not the primary admin so making “extra changes” beyond what you are required to do can be problematical.
Would be interested if anyone knows if there are any “traps” awaiting me using this command.
You’re right, you can always use gpupdate. I use it often whenever I test Group Policy, and it works reliably. However, I doubt that it will help with the problem I discussed in the post. Sometimes, it is important that policies are applied at the right moment. Folder redirection is one example. If you run gpupdate after you logged on, it is already too late.
Instead of just using ‘gpupdate /force’ you should also use ‘gpupdate’ by itself before running it with the /force switch. Some policies are only applied through a normal refresh, while others will require the /force switch to fully take effect.
There’s also ‘gpupdate /force /boot’. That one’s quite useful when applying changes that require a reboot (like software installation). ‘gpupdate /sync’ can be useful, too.
-b
I am finding that if you try running gpupdate/force /boot remotely using psexec or any other remote management tool while a user is not logged on, the computer will not reboot even though it requires one in order for the Group Policy to apply. Adding a shutdown command to the process obviously solves the problem.