GPOs not applying right away

[acl03]

I noticed that it takes a couple of reboots for the computer policy to take effect on a machine recently added to AD.

Also, user policies take a few logons.

Any way to get GPO's to apply quicker?



Thanks,
Andrew

 

[ncvandy]

on the workstation click the run command and type "gpudate /force". This forces a complete download / refresh of all the settings of the policies

Jim

Elegant solutions are nice, but right now I'll settle for whatever works.

 

[bbell22]

Is there anyway for them to apply automatically? I have a lot of user accounts this is happening on.

 

[ncotton]

Group Policy is refreshed every 90-120 minutes. Settings that can not be forced in these background refreshes are applied at logon. You should not have a problem with "some" settings being applied, especially after at least one reboot.

POSSIBLE ISSUES
===============
1. On machines that have a slow connection, then some policy settings are dropped intelligently. If you are on remote connections, VPN, dial up remotes, then you can force the computer to wait untill all policy settings have been applied, by changing the GP Settings in the GPO to apply Synchronously, and set the Logon options to "Always wait for network before loading windows". This is because one other issue with slow connections, is once a machine has been authenticated on the domain, a local cached profile is stored on the machine, that means that it enabled you to logon on with your domain account, even when you have a slow/or even NO connectivity with the DC, or any other network resource. Chaning the Wait for Network means that the users can not authenticate to their domain users desktop untill the network connection has been established, therefore forcing all policies to be applied, again, slow connections may drop some settings.

2. If you have a very large network, which contains a number of replication servers, and have alot of data transfer. You may be having replication issues, or just the replication is slow. Do you get the same kind of issue, having to wait a long time, after creating a new user on a DC, wait for a while for the AD to be updated on the all the replicated servers?

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[rizrizza]

depending on the amount of policied you changed it might take a while when i did it with 400+ machines it took at least a week for all of them to finish even with gpupdate /force on the machines and the server. check your dns also. i also found that taking the computer off the domain then slapping it back on works well too.

Trying to do alot with what little I know. Thank you

 

[ncotton]

ACL, has anything suggested helped your problem?

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[acl03]

Well, I did notice an improvement with gpupdate /force.

I haven't added many machines to the domain since my post, so I don't know yet how well it worked.

Would pre-creating the machine accounts in the right OU make a difference?



Thanks,
Andrew

 

[ncotton]

no, infact, would probably be slower, the creation by the machine on authentication, triggers a foreground policy refresh on the client of machine, but only of the default domain policy, or other policies linked as Domain Root level. Unless you were to create them correctly in your domain structure, so put them in the correct OU, but that kind of ruins the whole principle behind the installation/client side connection. You also have problems of getting machine names spelt incorrectly, so on and so forth.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant