Re: Group Policy Downloading unchanged GPO's

I don't think they view it as a bug :). Its somehow intended behavior, though no one has explained adequately why, as of yet.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at http://www.sdmsoftware.com/products.php


"msnews.microsoft.com" <vivin_george@xxxxxxxxx> wrote in message news:uhFPJlHNHHA.4916@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the clarification Darren.

We carried out some test to see the GPO behaviour by capturing the network traffic. On analysis we understand that if a CSE has multiple GPO's then even if one of the GPO changes, all the GPO's belonging to that CSE gets read (Not downloaded).

As for issue #2, are you aware of any plans from MS to resolve this??

Regards


"Darren Mar-Elia" <dmanonymous@xxxxxxxxxxxxx> wrote in message news:EB01AE7E-4152-41FA-9ED3-6193AB20908E@xxxxxxxxxxxxxxxx
To answer question #1, because GPO settings aren't cached (in other words, they are not held in some separate place on the client), then yes, all settings from all 3 GPOs would be read by the client if just one GPO changes. You also have to be careful with the word "download". GPOs aren't copied lock, stock and barrel to the client. Let's say, for example, that the registry extension needs to run. It has a list of GPOs that implement registry policy and so it read the GPT portion of those GPOs and copies the registry.pol files from each GPO into memory, where it merges them according to precedence and then applies them to the registry.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at http://www.sdmsoftware.com/products.php


"Vivin George" <VivinGeorge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:55B2407D-8113-4323-81ED-532FCC524445@xxxxxxxxxxxxxxxx
Thanks Darren for the response.

Regarding Issue #1, I agree that all the policies needs to be reapplied but
are you also saying that all the 3 GPO's would be downloaded from the DC even
if only one GPO changes? My understanding was if the version of GPO does not
match with the client then only the changed GPO's are downloaded. Is this
correct?

Regarding Issue #2, we found an interesting link which talks of a similar
issue.
http://www.minasi.com/forum/topic.asp?TOPIC_ID=20647.
This explains the "Why" part of the issue.

Thanks & Regards
--
Vivin


"Darren Mar-Elia" wrote:

Both are expected behavior. On the first, let's say you have 3 GPOs that all
implement registry policy for a given user or computer. If you change one of
them, then they all have to re-apply during the next foreground or
background processing cycle, otherwise the precedence of GP would be broken.

The second is more subtle but also expected. The effect of transferring the
FSMO role results in Windows trying to sync up the PDCe with the Default
Domain Policy for account policy. I couldn't tell why MS does this, but they
do, and I've seen it before.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at
http://www.sdmsoftware.com/products.php


"Vivin George" <VivinGeorge@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1645928E-994F-4AD9-93F5-7CE305883D0F@xxxxxxxxxxxxxxxx
> Hi,
> We have a Win2k3 SP1 domain with 2003 functional level ( forest and
> domain).
> The current implementation has GPO's configured at Domain, User and
> computer
> OU's.
> We have noticed 2 isssues related to GPO:
>
> 1) When any one GPO linked at OU or domain is changed, the clients on
> rebooting downloads the changed GPO and also some of the unchanged > GPO's
> event though there are no changes in the GPO or the GPT.ini version. > This
> results in large traffic on the WAN.
>
> 2) After transfering the FSMO role we find the values of default > domain
> policy is modified with the value of the overriding custom domain > policy.
>
> Please let me know if this issue has been noticed by anybody. If so > the
> cause and possible resolution.
>
> Thanks & Regards
> -- > Vivin





.

Relevant Pages

  • Re: Set GPO for specific user group
    ... Click on the domain name in Group Policy Management, select the GPO and then click the arrow to the left to move it to the top of the list ... Filtering: Denied ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Question
    ... Group Policy Processing ... As described earlier in this paper, Group Policy is processed in the ... Local Group Policy Object, ... Any domain-based GPO may be enforced by using the Enforce ...
    (microsoft.public.win2000.group_policy)
  • Re: group policy preferences
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: ShockwaveTest ... GPO: Default Domain Policy ...
    (microsoft.public.windows.server.active_directory)
  • re: Microsoft IPSec
    ... My original intention for enabling IPsec was the prevent users from ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ...
    (Security-Basics)
  • RE: GPO settings are not applied
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Automatic_Updates ... GPO: Default Domain Policy ... Secure Proxy Server: N/A ...
    (microsoft.public.windows.server.active_directory)