Group Policy refresh interval for computers. This setting controls the frequency at which Win2K refreshes Group Policy for Win2K Professional workstations and Win2K member servers (not for domain controllers). You can use this setting to specify two thresholds: the number of minutes between refreshes and an offset that Win2K uses to prevent every computer from simultaneously rereading Group Policy from the domain controller. Win2K computes a random value between zero and the offset, then adds this value to the first threshold after each refresh to determine when the next refresh will occur. By default, Win2K refreshes every 90 minutes and specifies a maximum offset of 30 minutes. The setting applies to policies under the Computer Configuration portion of a GPO.
Group Policy refresh interval for users. Similar to the Group Policy refresh interval for computers setting, Group Policy refresh interval for users controls how frequently Win2K refreshes User Configuration. The setting applies to policies under the User Configuration portion of a GPO.
Apply Group Policy for computers asynchronously during startup. By default, a Win2K system won't present the logon prompt until Win2K finishes applying Group Policy. When you enable the Apply Group Policy for computers asynchronously during startup setting, Win2K lets users log on before Group Policy application is complete. The system displays the message Applying computer settings until application is complete. Although enabling this setting doesn't usually cause problems, some policies might not take effect until the next time Win2K applies or reapplies Group Policy. This setting applies to policies under the Computer Configuration portion of a GPO.
Apply Group Policy for users asynchronously during logon. By default, after a user enters a username and password, Win2K doesn't display the user's desktop until it finishes applying Group Policy's User Configuration settings. When you enable the Apply Group Policy for users asynchronously during logon setting, users can access the Start menu and desktop before the application is complete. Some policies might not take effect until the next logon or until Win2K refreshes Group Policy. This setting applies to policies under the User Configuration portion of a GPO.
Unless users complain about excessive startup or logon times, I recommend you leave both asynchronous-application settings disabled so that you can maintain predictable Group Policy application.
User Group Policy loopback processing mode. When Win2K applies the User Configuration portion of Group Policy, Win2K determines the applicable GPOs based on the user's domain and OUs and applies settings from the User Configuration portion of those GPOs. In other words, Win2K applies User Configuration settings based on the user account's location in AD (i.e., who the user is), not based on the computer account's location (i.e., which computer the user is logging on to). However, you might decide to make an exception to this rule. For example, perhaps you have public-use kiosks for which you want to define specific User Configuration settings regardless of who logs on. In such a situation, you need to create an OU to contain the kiosks, then create an OU-linked GPO and enable the GPO's User Group Policy loopback processing mode setting. When you enable this setting, you must select one of two option modes. Replace mode tells Win2K to ignore the user's User Configuration settings (i.e., the User Configuration settings based on the user account's location in AD) and instead apply the system's User Configuration settings (i.e., the User Configuration settings based on the system's location in AD). Merge mode tells Win2K to first apply the user's User Configuration settings, then apply the system's User Configuration settings. Whenever a conflict occurs, the system's settings take precedence.
Group Policy slow link detection. This setting lets you specify the threshold (in Kbps) for slow network links. The default threshold is 500Kbps. Win2K uses this threshold to determine when to defer Group Policy application.
Deferring Group Policy Application
Win2K divides Group Policy into nine processing categories: Registry, Internet Explorer (IE) Maintenance, Software Installation, Folder Redirection, Scripts, Security, IP Security (IPSec), Encrypting File System (EFS) recovery, and Disk Quota. Each category has a corresponding Group Policy option (e.g., Registry policy processing) that resides in \computer configuration\administrativetemplates\system\group policy, as Figure 5 shows.
You can defer a category's Group Policy application to prevent slowdowns on the workstation while Win2K applies Group Policy. You can also defer application to prevent sudden changes that can occur on a user's desktop when you implement Desktop or Start Menu & Taskbar restrictions (e.g., disable the Screen Saver tab in Control Panel, Display; remove the Map Network Drive option in Windows Explorer) while the user is logged on. (These restrictions reside in \user configuration\administrative templates.) To control a category, right-click the corresponding option under \computerconfiguration\administrative templates\system\group policy and select Properties. Select Enabled, then select one or more of the following scenario check boxes.
Allow processing across a slow network connection. Select this option to permit processing while the computer is connected to the domain controller on a slow network link (according to the definition you set using the Group Policy slow link detection setting). Notice that to defer processing, you must clear the check box.
Do not apply during periodic background processing. Select this option to defer processing during background refreshes while a user is logged on. This option defers refreshes in specific categories, whereas Disable background refresh of Group Policy defers refreshes in all categories.
Process even if the Group Policy objects have not changed. This option lets you control whether Win2K applies certain categories even though the policies haven't changed. For example, you can use this option to tell Win2K to regularly reapply a category in case users have disabled restrictions that you implemented through Group Policy. To defer application, clear the check box.
Table 1 lists each category and its corresponding Group Policy option, shows the location of the policies for which the category controls application, and identifies which of the three processing situations you can defer each category in.
One-Stop Shopping
Group Policy provides one-stop shopping for computer and user profile configuration. To keep a handle on Group Policy complications, you need to minimize your use of settings such as No Override and Block Policy inheritance and customize GPO ACLs only when absolutely necessary. To keep Group Policy simple, use options that are visible on the GPO Properties, Group Policy tab. To control who receives which policies, use OUs, rather than GPO permission restrictions; resort to restrictions only for troublesome exceptions that would otherwise require you to completely redesign your OU hierarchy.