If Group Policy settings don’t take effect immediately

Michael PietroforteMVP By Michael Pietroforte - Fri, March 23, 2007 - 10 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

The February issue of WindowsITPro has an interesting article about Group Policy annoyances (subscribers only). I think the most common problem is Group Policy settings not taking effect immediately. You change a setting and reboot the machine, but the change doesn’t seem to show immediately.

The cause for this problem could be that Group Policy Objects (GPOs) are processed asynchronously, by default. This means that processing occurs while Windows is still working on presenting the logon screen.

There are some Group Policy settings that need exclusive access to the computer or user environment. The most prominent ones are Software Installation and Folder Redirection. The latter might become important when you work with roaming profiles and start deploying Vista. Check out this post about Windows XP and Vista interoperability of roaming user profiles for more information.

There is a setting that tells Windows to process Group Policy synchronously. You can find it under Computer Configuration\Administrative Templates\System\Logon. You have to enable the policy “Always wait for the network at computer startup and logon“. This way, Group Policy will be processed synchronously. Note that this will increase the time needed to boot-up and logon.

-1+1 (No Ratings Yet)
Your question wasn't answered? Please ask in the new 4sysops forum!

10 Comments- Leave a Reply

  1. avatar Hugh says:

    I use ‘gpupdate /force’ and it seems to work (except for those changes that require reboot anyway). Great for customer machines where you are not the primary admin so making “extra changes” beyond what you are required to do can be problematical.

    Would be interested if anyone knows if there are any “traps” awaiting me using this command.

  2. Michael Pietroforte Michael says:

    You’re right, you can always use gpupdate. I use it often whenever I test Group Policy, and it works reliably. However, I doubt that it will help with the problem I discussed in the post. Sometimes, it is important that policies are applied at the right moment. Folder redirection is one example. If you run gpupdate after you logged on, it is already too late.

  3. avatar Civisi says:

    Instead of just using ‘gpupdate /force’ you should also use ‘gpupdate’ by itself before running it with the /force switch. Some policies are only applied through a normal refresh, while others will require the /force switch to fully take effect.

  4. There’s also ‘gpupdate /force /boot’. That one’s quite useful when applying changes that require a reboot (like software installation). ‘gpupdate /sync’ can be useful, too.


  5. avatar Steve Carneol says:

    I am finding that if you try running gpupdate/force /boot remotely using psexec or any other remote management tool while a user is not logged on, the computer will not reboot even though it requires one in order for the Group Policy to apply. Adding a shutdown command to the process obviously solves the problem.

  6. I’m currently migrating to 2008R2 and I have folder redirection in place. Updating the GPO and then forcing it to update with gpupdate /force /boot doesn’t work. The machine boots back up and still goes to the old location. I’ve tried it about 10 times on an XP machine (the definition of insanity I hear) with no luck. Anyone have a clue on how to get a folder redirection policy to actually update on XP, Vista, 7 workstations?

  7. avatar Shah Murad says:

    After adding Server 2008 R2 in 2003 Forest and Domain environment, I am noticing that new GPO’s are not working on XP SP3 Pro Clients! Even something as simple as Hide Run Command, My Documents folder redir.
    Any idas?

    Tried the following:

    *Removed PC from domain, re-added
    *Creaeted Test OU, created Test User, USER specific GPO’s not applied
    *Teasted creating GPO’s from both Server 2008 R2 and then Server 2003 R2, still no luck
    *DCdiag had no errors (except for ROCD Prep was not run..)
    *GPResult.exe does not even show the new GPO as applied or not applied.
    Google search revealed that many other IT Admins encountered same errors, GPOs are not working.
    Any insights on this?
    Thanks guys~

  8. avatar Shah Murad says:

    Noticed the posting by Chris (iteam #6).. I too started with Folder Redirection and then after few tests, I found out that No New GPO’s are beein applied.
    What a horrible experience with Server 2008 R2!!

  9. avatar Michaël Van den Steen says:

    Exactly what I needed, thanks a lot!

  10. avatar Manong P. says:

    Hi, I am new to GP and I was experimenting with a policy that I applied on my test lab. I made a policy to automatically map a network drive but it doesn’t work when “Link Enabled” is applied. When I tried to “Enforce” the policy in the OU, the policy worked. What seems to be the problem? Do I need to always “ENFORCE” a policy to make it work? I’ve noticed that the Default Domain Policy works even without Enforcing it.

Please share your thoughts in a comment!