Why can it take 10+ hours for Group Policy settings to Apply?

clockHave you ever applied a Group Policy and then waited the standard 90 minutes for the setting to apply only to find out that after a few hours the policy still has not been set yet. Even trying to force a GPUPDATE still does not trigger the change but then the next day the policy has applied as expected. What is going on here?

This is a situation that is commonly caused if you are using security group filtering for applying policy settings. The problem is that the Group Policy object you have applied to the user or computer requires security group membership to evaluate that it can apply to that computer. The group membership will have been replicated in Active Directory however the Kerberos Ticket Granting Ticket (TGT) on the local computer also needs to be updated. This TGT refresh is by default is configured to only happen every 10 hours in Active Directory.

A way to check this is to do a Group Policy Result report against the user of computer and then check the  “Security Group Membership” by clicking the “Show” option under the “Details” tab.

Note: In older version of the Group Policy Management Console, this will be visible under the “Security Group Membership when Group Policy was applied” under the “Summary” tab.

image

As you can see below this will show you all the security group memberships that were used when the Group Policy was last processed on that computer.

image

As this is only showing the membership when the policy has been applied it is possible that the Group Membership on the local computer has updated since the last policy upgrade depending on the refresh timing. Performing a GPUPDATE *MIGHT* make the policy settings applied if the Kerberos token on the computer/user has updated since the last Group Policy Update. But, the only sure fire way to be sure that the new group membership straight away is to either log off as the user or reboot the computer to refresh the Kerberos token.

You do have the option to reduce or increase this refresh value you can do this by modifying the “Maximum lifetime for user ticket Properties” setting under  Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy. But unless you have a REALLY good reason I would not recommend that you change this value from the default.

image

As I already mention in my Group Policy Design Guidelines post, applying filtering Group Policy Objects via security groups can have its issues and should only be used for applying setting by exception. But if you do apply your policy settings this way just be aware that the users/computers will probably be waiting a while for them to get the new settings if they are applied via group membership.

Remote Server Admin Tools for Windows 8.1

win8_logo_0

With yet another release of Windows (seems like it was only last year… errr… wait), Microsoft has also released a new version of the remote server admin tools (a.k.a. RSAT). RSAT allow you to install the tools needed to manage your servers from a Windows 8.1 computer.

You might not think you need the RSAT installed as you are just remote desktop of the server you want to configure when needed to perform changes. Needless to say always logging onto a server to configure it is generally poor practice as it can lead to system stability issues. Once you install the tools on your PC you can use them to remotely perform these configuration without even having to logon to the server. This is even more practical now as all of the new tools are written via PowerShell meaning they can be run remotely against servers just as effectively as on the local machine.

Of course the real reason why you want the RSAT tools install on your computer it so you can run the latest version of the Group Policy Management Console (a.k.a. GPMC).

Tip: Always edit group polices using the latest version of GPMC as this will support all the features and cause the least amount of compatibility issues. As an example you might have noticed that there is no Internet Explorer 11 Group Policy Preferences however the IE10 GPP does support IE11 in the new revision. In fact I talk about this in detail in my TechEd New Zealand session where I show that the version checking for IE 10 group policy preferences now check for version 10 to version 99.

As with the previous version of the Remote Server Admin Tools Microsoft will also be automatically installing all the tools once the Windows Update is applied..

NOTE: In this release of Remote Server Administration Tools, all tools are enabled by default. There is no need to open Turn Windows features on or off in Windows 8.1, and enable the tools that you want to use.

Downloat RSAT Link  http://www.microsoft.com/en-us/download/details.aspx?id=39296

Group Policy Search Engine Gets Updated

magnifying_glass

The Group Policy Search Engine is a great web site that has all the different version of Microsoft Group Policy ADMX files that allows you to easily and quickly search for the policy setting. This site is one I use very frequently especially and is a must have bookmark for any Group Policy Administrator.

Well, Stephanus from Microsoft who maintains the web site has just loaded the Windows 8.1 and Windows Server 2012 R2 policy setting meaning you can now look up all the new policy setting in the latest version of Windows.

image

So check out the new 8.1 settings at http://gpsearch.azurewebsites.net/

TechEd: (Internet Explorer 11) The Browser You Love To Hate

If you have ever seen Chris Jacksons (a.k.a. App Compat Guy) sessions you will know that he is an amazing speaker with a very distinctive (and geeky) presentation style. So when I had the opportunity to present with him at TechEd New Zealand 2013 I was super excited to be able present some of the great new features in Internet Explorer 11. In this session we present two side of the why and how to you should upgrade to the latest version of Internet Explorer in your organisation. Chris presents a lot of very good reasons why you should upgrade off from IE8 and I show you how you can use Group Policy to configured and control the browser for the users.

So sit back and check out video below of our session:

Source: http://channel9.msdn.com/Events/TechEd/NewZealand/2013/WCL312?format=auto

TechEd: Windows 8.1, getting better with Group Policy and Work Folders

My TechEd New Zealand session about Group Policy and Work Folders is now available for viewing. This session shos a combination of what is new with Group Policy in Windows 8.1. It also is ha a shorter version of my other work folders sessions I presented at TechEd Australia the week before (see Windows 8.1 Folders Overview – My Corporate Data on all my Devices). As the session is nicely split into two you can checkout the new group policy features buy just watching the first half of the recording.

Source: http://channel9.msdn.com/Events/TechEd/NewZealand/2013/WCL305

Update: Thank you New Zealand!!! as this session was ranked #1 for the Windows Client track and #14 overall for the entire event (out of 150 sessions).