Re: Cached GPOs
From: Eric Voskuil (voskuil_at_online.autoprof.com)
Date: 09/08/04
- Next message: IanS: "Proxy settings - allow changes/auto apply"
- Previous message: Teo Chee Yang: "Re: Restrict membership of Power users local group"
- In reply to: Darren Mar-Elia: "Re: Cached GPOs"
- Next in thread: Darren Mar-Elia: "Re: Cached GPOs"
- Reply: Darren Mar-Elia: "Re: Cached GPOs"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 8 Sep 2004 00:01:16 -0400
It may have been that at one time when the users were off network they were
logging on locally (not to the domain). In that case user policy will apply
without a network.
When logged on to the domain, as you found, the domain policy must be
applied after local policy (precedence requires it), so if the domain is not
available - no user policy is processed.
When the computer is a member of a domain, computer policy will only process
when the computer is connected to the domain - for the same reasons.
As an aside, I'm trying to kill the myth about cached GPOs - there is no
such thing. GPOs don't download to the target computer (if anybody finds
one please let me know). The settings are read by individual extensions,
directly from SYSVOL. (specifically the GPT).
Here's the simple matrix:
Logged on to a domain with no connection = no user policy applied
Computer is domain member with no connection = no computer policy applied
Logged on locally = local user policy always applied
Computer not domain member = local computer policy always applied
Policy settings will remain until they are replaced. Therefore GPOs may
give the *appearance* of being cached, but this is not the case.
Regards,
Eric
"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:uYbp%23nSlEHA.2948@TK2MSFTNGP11.phx.gbl...
> Andrew-
> I did a little testing with userenv logging enabled. Here's what I saw. I
> set a domain-based policy that removed run from the start menu. This
policy
> was applied as expected. Then I pulled the computer off the network and
> edited the local policy to undo my domain policy. Then I did a gpupdate.
> What I saw in userenv.log is that, as the computer goes through its domain
> discovery process, when it is unable to find the domain, it simply bails
out
> on GP processing. That is, the local GPO isn't processed at all. I hope
> that answers your 2nd question as well.
>
>
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Management
> http://www.gpoguy.com
>
>
>
> "Andrew" <lak18@hotmail.com> wrote in message
> news:76fd01c494fc$b0bbe5b0$a601280a@phx.gbl...
> > Thank you for your response, however i'm still a little
> > unclear...
> >
> > When a machine is off the network, and powered on, it
> > still goes through Group policy processing. It doesn't
> > have any domain policies to apply, since its off the
> > network, making the local policy the only policy applied
> > during the processing. If the local policy has the screen
> > saver setting as "Not Defined" doesn't that become the
> > effective setting?
> >
> > Also, if i understand what you explained, Is this true?
> > if I were to take a machine connected to the network and
> > shut it down, then while the machine is powered off,
> > delete my screen saver GPO from the DCs, wait for
> > replication, then power on the machine, this machine
> > would still have the screen saver tab hidden because none
> > of the existing GPO have modified the related registry
> > setting for the screen saver tab?
> >
> >
> >
> >>-----Original Message-----
> >>Andrew-
> >>Settings aren't cached per se. What happens is that when
> > the GPO applies, in
> >>your example, a registry value is changed in the user's
> > profile. That value
> >>stays put until GPO processing happens again that might
> > otherwise remove it.
> >>The reason the behavior has changed is not clear to me.
> > I have noticed,
> >>anecdotally, that sometime in the XP timeframe, GP
> > processing behavior did
> >>change with respect to offline operation. For example,
> > if I take a
> >>domain-based GPO off the domain network, and try to make
> > changes to policy
> >>by editing the local GPO--those changes don't get
> > applied until I'm back on
> >>the domain network. This essentially prevents someone
> > from modifying domain
> >>policy simply by unplugging their machine from the
> > network. This could be
> >>essentially the same effect you're seeing, with a
> > slightly different twist.
> >>--
> >>Darren Mar-Elia
> >>MS-MVP-Windows Management
> >>http://www.gpoguy.com
> >>
> >>
> >>
> >>"Andrew" <Lak18@hotmail.com> wrote in message
> >>news:75f401c494ef$2bcebc40$a601280a@phx.gbl...
> >>>I havn't been able to get a clear cut answer to this
> >>> question. When a machine connects to a network and has
> >>> domain GPOs applied to it, do these GPOs cache on the
> >>> local machine, leaving them still in effect when
> > working
> >>> offline? We have a Domain GPO which hides the screen
> >>> saver tab. Users used to be able to take their laptops
> >>> home, and then be able to access the screen saver tab.
> >>> Then once they reconnected to the network, the screen
> >>> saver tab would be removed again. This no longer seems
> > to
> >>> function this way. Now when users take their laptops
> >>> home, they are still unable to access the screen saver
> >>> tab. I'm not sure what has changed and am unsure which
> >>> way it is designed to work. Can anyone shed some light
> > on
> >>> the subject?
> >>>
> >>> Thank You
> >>> Andrew
> >>
> >>
> >>.
> >>
>
>
- Next message: IanS: "Proxy settings - allow changes/auto apply"
- Previous message: Teo Chee Yang: "Re: Restrict membership of Power users local group"
- In reply to: Darren Mar-Elia: "Re: Cached GPOs"
- Next in thread: Darren Mar-Elia: "Re: Cached GPOs"
- Reply: Darren Mar-Elia: "Re: Cached GPOs"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
