Determining if group policy needs to run synchronously

group-policy

I have been working on speeding up network logins. As part of this process I'm disabling the 'always wait for network' option.

This isn't inherently a problem, but I would really like to be able to pop up a dialog along the lines of "we see your drives aren't mapped / your folders haven't been redirected. please log off and back on to complete the process". This would cut helpdesk calls tremendously.

Is there a good way determine when group needs to run synchronously? A flag in the registry, etc?

Best Answer

My take is "Group policy needs to be run synchronously".

Seriously.

The default in Windows 2000 was to run all Group Policy (computer and user) synchronously. Microsoft had materials in their "Official Curriculum" back then that even describe asynchronous policy application as potentially unreliable.

You can change this default behavior by using a policy setting for each so that processing is asynchronous. This is not recommended unless there are compelling performance reasons. To provide the most reliable operation, leave the processing as synchronous.

When asynchronous computer policy application became the default in Windows XP I found that it was unreliable and non-deterministic. From that point on I've been forcing policy application to be synchronous and I've been happy with the results.

I'd like logons to be faster, but at the same time I need things to be reliable. Reliability trumps speed to me.

Related Solutions

Group Policy – Fix Group Policy Installation Failed Error 1274

You're seeing the dreaded scourge of asynchronous policy processing. It's not a "feature" (and was default-off in Windows 2000 but default-on in Windows XP and above) and causes exactly what you're seeing-- non-deterministic behaviour with processing some types of GPO settings.

In a GPO that applies to that computer, add the following setting:

Computer Settings
- Administrative Templates
  - System
    - Logon
      - Always wait for the network at computer startup and logon - Enabled

After you set that (and allow the GPO to replicate if you're in a multi-DC environment), do a "gpupdate /force /boot" on the subject PC. It will reboot and you should see the software installation occur.

The "Always wait for the network at computer startup and logon" slightly slows down the startup and logon because all GPO extensions are allowed to process, but the upside is that all GPO extensions are allowed to process.

Group policy startup script needs elevated priviledges

Scripts placed in Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) are run as Local System which is usually all that's required for installing programs etc. The same is true of MSIs deployed using Group Policy.

Do you know what privileges your script requires? What is your script doing that requires these privileges?

Grab a copy of Process Monitor from Sysinternals and, using a standard user account, monitor your script to find out what it's doing and what extra privileges it needs to be able to run. You can then use that information to find out why the Local System account isn't able to run it.

EDIT: An option available to you is for you to use your Startup script to run a net shell command

netsh interface ipv4 set subinterface interface="Local Area Connection" mtu=1400

It's a single liner you need in your script. Any use?

Lewis

Best Answer

Related Solutions

Group Policy – Fix Group Policy Installation Failed Error 1274

Group policy startup script needs elevated priviledges

Related Topic