Process policies asynchronously. Windows provides a way to speed up the enumeration of GPOs during machine start-up and user logon. In my experience, this feature has little value in enterprises that apply several GPOs to both the computer and the user. However, if your users are complaining about the amount of time they spend starting their computers and logging on to the domain, you might want to experiment with this feature.
When Windows starts, the system by default processes policy settings from the Computer Configuration section of each GPO synchronously in the following order: Local, Site, Domain, OU. After processing all the computer-based policies, the system prompts the user to log on to the domain. Then, the system processes user-based policies synchronously in the same order that it processed the computer-based policies.
To speed GPO processing and thereby speed user logon, you can tell Windows to apply policies asynchronously instead of synchronously. Processing the policies asynchronously means that the system can download and process the policies out of order. In fact, users can log on to the domain and have use of the computer before the system has the chance to apply all policy settings—and therein, of course, lies the danger. Because the system processes OU policies last, many administrators make sure that any "real" policies (i.e., those that override domainwide policies) are in the computer's OU. However, if you process policies asynchronously, you lose that advantage.
If you're reasonably sure you don't have conflicting policies (e.g., OU policies that conflict with domain or local policies), you can experiment with asynchronous policy application. To enable asynchronous policy processing with a GPO, perform the following steps:
- Open the Active Directory Users and Computers snap-in.
- Right-click the domain listing, then choose Properties from the context menu.
- Select the Group Policy tab, select the GPO that you want to use to enable asynchronous processing, then click Edit.
- In the console pane, go to Computer Configuration\Administrative Templates\System\Group Policy.
- In the details pane, double-click Apply Group Policy for computers asynchronously during startup, click Enabled, then click Apply.
- In the details pane, double-click Apply Group Policy for users asynchronously during logon, click Enabled, then click Apply.
- Close all dialog boxes and the Active Directory Users and Computers snap-in to save your changes.
Incidentally, you don't have to select both policy types in Steps 5 and 6 for asynchronous processing; you can select just computer-based policies or just user-based policies if you want.
Managing Existing Policies
As I've discussed, applying policies to OUs, filtering policies by security group memberships, disabling unused GPO sections, and processing policies asynchronously can help you manage new policies. But if you're past the point of creating your first GPO, you might already have a tangle of policies that can lead to bigger problems. Logons can become slow, which can cause users to complain. More important, conflicting policies sometimes cause administrators to lose sufficient rights to perform tasks. Worse, you probably aren't sure which policies you've set because GPE doesn't tell you what you've done. Fortunately, Windows provides some tools to help you determine the state of your GPOs. In a future column, I'll discuss these tools and offer some suggestions for unsnarling your GPOs.