dcsimg

Learn AD in 15 Minutes a Week: Active Directory Group Policy Page 2

By ServerWatch Staff (Send Email)
Posted May 29, 2002



User Configuration Settings and Logon Scripts Overview

The Ctrl+Alt+Delete screen appears for the first time since startup and the user can log on. When the user finishes entering their ID and password, a list of GPOs connected to the user is gathered and processed, determined by factors such as the user's domain membership (or lack thereof), whether the loopback setting is enabled on the local system and which loopback policy setting is being used, as well as a host of other factors, detailed below.

[NOTES FROM THE FIELD] - In the section below titled Group Policy Processing Exceptions I detail all of the exceptions to the group policy rules, which covers a few things including the loopback settings.

Also, do not confuse domain accounts and local accounts. If a workstation is in a domain and a user logs on with a LOCAL account only, any domain user account configuration GPO settings are not processed because the account is local. Also, if you log on to a domain member that is disconnected from the network with a CACHED DOMAIN ID, you will not get your UPDATED user configuration settings. You will log on with the CACHED credentials ONLY.

User configuration settings are used to set group policies for specific groups of users. The settings are applied to the users no matter where in the forest they log on and are processed synchronously by default. (So long as that system is in the domain. Domain user account configuration settings will not apply when a user logs on to a machine locally using a local account. The LOCAL user account settings from the LOCAL GPO will be applied.) The synchronous setting can be changed by the domain administrator. The user configuration settings initialize as the user logs on to the system and will overwrite any conflicting settings that were processed at the computer configuration level and are set in the following order; Local GPOs are first, then site GPOs, followed by domain GPOs, and finally OU GPOs. No user interface is displayed while user policies are being processed. This is that little piece of time after the Ctrl+Alt+Delete screen disappears and it seems as if something is happening behind the scenes. (Now you know what.) After all of the GPOs have been processed, all and any group policy-based user logon scripts run. These scripts are also run hidden, however, they run asynchronously by default.

The GUI will appear once the last user logon script completes.


Group Policy Settings Processing Order

All Windows 2000 systems have one Local Group Policy Object, which is processed first when the system is started. In a domain scenario, chances are, due to the fact that subsequent GPOs are likely to overwrite these settings, this GPO will have the least amount of impact on the local system when it is in a domain. On a STANDALONE Windows 2000 system it is usually the only GPO processed and in this case will have a large impact.

The next set of group policy settings that are processed are computer configuration settings for Site GPOs, if there are any set to your site. These GPOs are processing synchronously, meaning the domain administrator sets the order in which these will execute.

After any and all Site GPOs are run, the next set of GPOs to be deployed are Domain level computer configuration GPOs. These too are processed synchronously, with the order set by the domain administrator.

The final set of GPOs to be executed are OU level computer configuration GPOs. All of the GPOs linked to the upper most OU in the inheritance tree are executed first, followed by all that are in the next highest and so on, until you reach the local OU, which is executed last. At each OU in the hierarchy there may be several group policies. They are all processed synchronously in a specific order set by the domain administrator at each level. This means that all of the GPOs in the highest point of the inheritance tree are executed first in the specific order set by the domain administrator and then all of the GPOs at the next point of the inheritance tree are executed in the specific order set by the domain administrator and so on all the way down to the local OU.

After this is complete, any and all computer startup scripts that are set to run for the system start, and the Ctrl+Alt+Delete screen appears when they complete and the user can log on.

[NOTES FROM THE FIELD] -  The same set of steps follow with the user configuration settings. After a user logs on, the Local GPOs are run first, then site GPOs, followed by domain GPOs, and finally OU GPOs. With the OU level computer configuration GPOs, the GPOs linked to the upper most OU in the inheritance tree are executed first, followed by all that are in the next highest and so on, until you reach the local OU, which is executed last. At each OU in the hierarchy there may be several group policies. They are all processed synchronously in a specific order set by the domain administrator at each level.

After all of the user configuration GPOs have been processed, any and all group policy-based user logon scripts run. These scripts run hidden and asynchronously by default.

The GUI will appear once the last user logon script completes.

Page 2 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.