If you run Active Directory, no doubt you use Group Policy to ensure security and compliance and to control desktop
capabilities and software. The power of Group Policy is so compelling that most companies rely heavily on it to ensure that its network of users, clients and servers all meet company and security standards.
The pitfall in using Group Policy to bolster these standards is that there can be instances where Group Policy needs to be forced in order to guarantee that the settings specified in each Group Policy apply properly.
Forcing GPO applications using GPUPDATE
Use the GPUPDATE command to manually apply both user and computer Group Policy Object (GPO) settings for both Windows XP and Server 2003 computers. There are no switches required with this command, unlike the old SECEDIT command used for Windows 2000 computers. When GPUPDATE is run without any switches, both the user and computer GPO settings that were modified or configured since the last GPO refresh are applied. However, there are instances where a setting could have been modified on the target computer, which would not be configured back to the GPO setting after running the GPUPDATE command.
To have all GPO settings apply to user and computer objects -- regardless of whether the GPO settings were applied already -- and to force the GPO settings, an additional switch will be added to the GPUPDATE command. Then, to force the GPO settings, just add the /Force switch to the GPUPDATE command.
Forcing GPO settings using GPO settings
The GPUPDATE/Force command is useful when you are manually working with clients and servers to get GPO settings to apply. However, it is also important for some GPO settings to be forced during the standard refresh cycle, which is typically every 90 minutes. This is possible by configuring one or more GPO settings to coincide with the different Group Policy Extensions that are embedded in each GPO.
Access the following path in the GPO, which contains the settings that need to be forced on each refresh:
Computer Configuration|Administrative Templates|System|Group Policy|
Figure 1 shows the array of existing "* processing" policies.
Figure 1. "* processing" policies can force the application of GPO settings.
Within each of these policies there is an option to "Process even if the Group Policy objects have not changed," as shown in Figure 2.
Figure 2. GPO setting to process GPO settings even if there have been no changes.
With this setting configured, the settings in the GPO will apply on each refresh, even if there are no changes to the GPO. This ensures that the settings are applied consistently.
Group Policy is very powerful and can provide extremely high levels of security and control within an Active Directory enterprise. When your reliance on Group Policy is so high for ensuring the stability and security of your computer network, then you should take additional measures to make sure the settings are applied within the GPOs. You can do this manually, with the /Force switch in combination with the GPUPDATE command, or you can configure the GPO itself. Regardless of the method, ensure that your settings are getting to the target object and sticking.
About the author:
Derek Melber provides customized training for auditors, security professionals and network administrators. His book series on auditing Windows security is available at The IIA Bookstore. Online training is also available, which coincides with the books. E-mail Derek at firstname.lastname@example.org.