Announcement

Collapse
No announcement yet.

Question on a policy setting

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question on a policy setting

    Hi,

    I have a question on "Always wait for the network at the computer startup and logon" computer setting.

    If I enable this policy, will it wait for network connection to Domain controller or it just waits for network link to be up? I had a reason for asking this. I have few remote computers which are facing slow startup/logon issue. They have this setting enabled. Generally users from these computers connect their PCs to internet and they connects to office using VPN after login. I just trying to findout disabling this setting helps them in anyway in reducing the startup time.

    If I disable this setting, will it process GPOs after getting connection to domain controller(i. e after VPN connection)?

    My client computer is running with Windows XP and I am living in windows 2003 native domain with all latest SPs and patches applied.

    Thanks,

  • #2
    Re: Question on a policy setting

    Hi,

    I'd suggest you disable this policy (Which is the default behaviour).
    Existing users then, will use cached credentials to log on.
    Group policy is applied in the background when the network becomes available. exept for certain policies such as Folder redirection or Software policies that will need two logons.

    Cheers
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Question on a policy setting

      Thanks...

      I am looking for clarity about the sentence "When network becomes available". Does it mean that network connection to Domain controller is available or network connection in general?

      Thanks,

      Comment


      • #4
        Re: Question on a policy setting

        It means when the NIC driver has initialized and the NIC has detected a link.

        Comment


        • #5
          Re: Question on a policy setting

          So this is not useful for the scenarios I am talking about in my first post.

          Comment


          • #6
            Re: Question on a policy setting

            Typically this setting is enabled to allow the NIC to detect a link before GPO proccessing occurs. This is needed sometimes because GPO proccessing occurs before the NIC is initialized, the switch port goes into forwarding mode, and the NIC has an active link. This setting gets around this problem by causing GPO processing to wait for the network link to "go live". I'm not sure what affect, if any, this has on a VPN connection, although I suspect it doesn't have any affect.

            Comment


            • #7
              Re: Question on a policy setting

              As the VPN is established after the user logs on in this case, it would make no difference.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: Question on a policy setting

                Just a out-of-topic question:

                Is there any way to allow GPO processing only when the connection to domain controller is available? This saves lot of time for remote workstations. I am not sure how other organizations are getting rid of this slowness in remote workstations. May be few data points from your people may help me to investigate further.

                Thanks,

                Comment


                • #9
                  Re: Question on a policy setting

                  Here is how GP is being processed.
                  Processing a GP is a six-step procedure:

                  1- The client performs Internet Control Message Protocol (ICMP) slow-link detection
                  to a domain controller in its site to determine link speed. In Windows Vista, the use of ICMP for slow-link detection is replaced by the Network Location Awareness (NLA) service.

                  2- The client reads CSE status information from its local registry to determine which GPOs were processed last.

                  3- The client uses LDAP to search the gpLink attribute in Active Directory on each container object within its location in the Active Directory hierarchy—first at the OU level (including all nested OUs), then at the domain, and finally at the Active Directory site level. From the results of this search, it builds a list of GPOs that must be evaluated for processing.

                  4- Each GPO is then searched in Active Directory to determine whether the client (user or computer) has the necessary permissions to process it. Its version number, the path to the Group Policy Template (GPT) portion of the GPO in SYSVOL, and what CSEs are implemented in that GPO are also evaluated.

                  5- The client then uses the Server Message Block (SMB) protocol to read the contents of the GPT and get the GPO's version number from the gpt.ini file. The version numbers in the Group Policy Container (GPC) and GPT are one factor that is used to determine whether a GPO has changed since the last processing cycle.

                  6- Each CSE runs in the order that is registered under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions, and processes the GPOs that implement that CSE if the GPO has changed since last processing cycle (as determined during core processing). Each CSE also logs Resultant Set of User Policy (RSOP) data to Windows Management Instrumentation (WMI) during each refresh, if available.

                  By Darren Mar-Elia

                  I think if the first step (Or consecutive steps) fails and the cached logon is enabled, then the Cached policy will by applied from the registry.
                  Once a VPN connection has been established the background GP refresh might not happen until the next refresh interval.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Question on a policy setting

                    In the past, the only way I have found to reduce startup time in Group Policy is the following.

                    (1) Reduce the number of GPOs.
                    (2) Disable the User or Machine part of the GPO as appropriate
                    (3) Ensure scripts used in GPOs are relevant to the machines they apply to. I have had problems with slowness relating to scripts setting ACLs on folders/files that didn't exist. It would then wait the default amount of time before moving on to process the next GPO.
                    (4) Use groups and set the GPO permissions. This targets the appropriate objects, so only those users and computers applicable to the policy have read and apply permissions. All others will just ignore it, so will save time with GPO processing. This of course is only helpful if you are applying GPOs higher up and there are objects and OUs below that the policy should not apply to or you have objects in different OUs that can't be placed in the same container.

                    Joe Qwerty has answered your main question. The above may help as there is then less for the remote clients to process. As you mention, it only happens over the VPN. L4ndy also gave a great post, so I felt this thread is useful, thus I added the above to help others reading this thread.

                    Comment


                    • #11
                      Re: Question on a policy setting

                      5) Only use WMI filtering when essential. Filtering by group membership goes something like this:

                      "Does this policy apply to you?"
                      "That policy? No!"

                      Filtering by WMI on the other hand goes something like this:

                      "Does this policy apply to you?"
                      "I don't know, let me check. Nope, don't think so so far, let me check something else."

                      Not a strictly accurate analogy, but you get the idea
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment


                      • #12
                        Re: Question on a policy setting

                        Of course, forgot about WMI filtering.

                        Comment

                        Working...
                        X