The February issue of WindowsITPro has an interesting article about Group Policy annoyances (subscribers only). I think the most common problem is Group Policy settings not taking effect immediately. You change a setting and reboot the machine, but the change doesn't seem to show immediately.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
The cause for this problem could be that Group Policy Objects (GPOs) are processed asynchronously, by default. This means that processing occurs while Windows is still working on presenting the logon screen.
There are some Group Policy settings that need exclusive access to the computer or user environment. The most prominent ones are Software Installation and Folder Redirection. The latter might become important when you work with roaming profiles and start deploying Vista. Check out this post about Windows XP and Vista interoperability of roaming user profiles for more information.
Subscribe to 4sysops newsletter!
There is a setting that tells Windows to process Group Policy synchronously. You can find it under Computer Configuration\Administrative Templates\System\Logon. You have to enable the policy "Always wait for the network at computer startup and logon". This way, Group Policy will be processed synchronously. Note that this will increase the time needed to boot-up and logon.
I use ‘gpupdate /force’ and it seems to work (except for those changes that require reboot anyway). Great for customer machines where you are not the primary admin so making “extra changes” beyond what you are required to do can be problematical.
Would be interested if anyone knows if there are any “traps” awaiting me using this command.
You’re right, you can always use gpupdate. I use it often whenever I test Group Policy, and it works reliably. However, I doubt that it will help with the problem I discussed in the post. Sometimes, it is important that policies are applied at the right moment. Folder redirection is one example. If you run gpupdate after you logged on, it is already too late.
Instead of just using ‘gpupdate /force’ you should also use ‘gpupdate’ by itself before running it with the /force switch. Some policies are only applied through a normal refresh, while others will require the /force switch to fully take effect.
There’s also ‘gpupdate /force /boot’. That one’s quite useful when applying changes that require a reboot (like software installation). ‘gpupdate /sync’ can be useful, too.
-b
I am finding that if you try running gpupdate/force /boot remotely using psexec or any other remote management tool while a user is not logged on, the computer will not reboot even though it requires one in order for the Group Policy to apply. Adding a shutdown command to the process obviously solves the problem.
I’m currently migrating to 2008R2 and I have folder redirection in place. Updating the GPO and then forcing it to update with gpupdate /force /boot doesn’t work. The machine boots back up and still goes to the old location. I’ve tried it about 10 times on an XP machine (the definition of insanity I hear) with no luck. Anyone have a clue on how to get a folder redirection policy to actually update on XP, Vista, 7 workstations?
After adding Server 2008 R2 in 2003 Forest and Domain environment, I am noticing that new GPO’s are not working on XP SP3 Pro Clients! Even something as simple as Hide Run Command, My Documents folder redir.
Any idas?
Tried the following:
*Removed PC from domain, re-added
*Creaeted Test OU, created Test User, USER specific GPO’s not applied
*Teasted creating GPO’s from both Server 2008 R2 and then Server 2003 R2, still no luck
*DCdiag had no errors (except for ROCD Prep was not run..)
*GPResult.exe does not even show the new GPO as applied or not applied.
Google search revealed that many other IT Admins encountered same errors, GPOs are not working.
Any insights on this?
Thanks guys~
Noticed the posting by Chris (iteam #6).. I too started with Folder Redirection and then after few tests, I found out that No New GPO’s are beein applied.
What a horrible experience with Server 2008 R2!!
Exactly what I needed, thanks a lot!
Hi, I am new to GP and I was experimenting with a policy that I applied on my test lab. I made a policy to automatically map a network drive but it doesn’t work when “Link Enabled” is applied. When I tried to “Enforce” the policy in the OU, the policy worked. What seems to be the problem? Do I need to always “ENFORCE” a policy to make it work? I’ve noticed that the Default Domain Policy works even without Enforcing it.
I have another issue (all hosts are run in Hyper-V). When I do ‘gpupdate’ to apply the latest GPOs it doesn’t apply them. The user at the host has to sign off and then sign in to get the GPOs.
I have configured a Gpo for automatic Windows update. It is linked and applied to the correct OU. I have also applied the GPO for “always wait for network logon” at the same level and enforced the same. However, when the machine reboots, GPO does not seem to take effect. I can see that the settings are applied in RSOP. But, it is not reflected in the windows update section. If I force a Gpupdate, it will be visible as desired.
Keeping a long story short, GPO is applied but does not take effect after reboot.
Any help would be appreciated.