I sometimes need to temporarily change some registry settings related to Group Policy on a computer part of Active Directory, so I can perform some work.
After having read some articles on how to do this, I've come across the following registry settings:
# Disable Group Policy updates (computers, users, and domain controllers) until the user logs off the system
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableBkGndGroupPolicy" -PropertyType DWord -Value 1 -Force
# Disable Registry Policy processing
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" -Name "NoBackgroundPolicy" -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" -Name "NoGPOListChanges" -PropertyType DWord -Value 0 -Force
What exactly is "registry policies"? If I disable Group Policy updates until the user logs off, i.e. the computer won't try to refresh and re-apply policies, why would it be necessary to disable registry policy processing?
Source: https://www.thewindowsclub.com/disable-background-processing-registry-policy
Best Answer
This is kind of a big topic but here's a quick rundown:
Background policy processing: Normally a computer GPO is processed when the system is started and a user GPO is processed when the user logs on. You would normally have Background Policy processing turned on which would allow the system to re-apply those settings on the default interval in the background (random interval of between 90-120 minutes). If you disable background processing, the settings won't reapply until the user logs off or computer is restarted. For security purposes it's best to leave this on.
Registry policy: When GPO gets applied it's actually broken up into a number of parts. The largest pair is Group Policy (GP) and Group Policy Preferences (GPP).
GP is the "normal" part of GPO and the older of the two. When setting local GPO, you'll only see GP as an option. GPP is only available when setting policies from a domain controller.
GPP is considered a 'preference' because these are settings designed to be set and then allowed to change by the user/system. A background, a mapped drive, or a registry key can be set in GPP but won't be locked in place. Background refreshes will still set these settings again unless the "apply once" option is ticked.
GP are considered more 'permanent' and can be 'locked' into place. GP is broken into several categories: Security Policy (as in the secpol.msc snap-in settings which provide password policy and auditing), Registry policy (This allows you to set settings and the permissions on keys), and Administrative Templates. Security policy settings get applied to the system security database. Registry policies get applied to the registry. Administrative Templates... well technically this is a hack because really this is just another way of applying registry settings. The vast majority of Group Policy actually has a registry key under the hood. Usually if you look up the name of the admin template and "registry" you'll find the name of the key. You can also open the ADM or ADMX file responsible for the template and see what it's doing under the hood.
Mostly when you're making a change that requires a temporary registry key change, you should either suck it up and deal with the 90-120 refresh, or set a temporary GPO to change the setting.