Speeding Up Group Policy Updates in Deployment
Speeding Up Group Policy Updates in Deployment
I teach several classes that cover Windows deployment, operations, and troubleshooting. Most of the content I teach is focused on enterprise environments – that is, generally, more than 5,000 systems. At that scale centralized IT management is a requirement, not an option. And the cornerstone of centralized computer configuration management in Windows are Active Directory and Group Policy.
Many of my students relate stories of making changes to Group Policy settings. Usually the story goes something like, “We needed to change the screensaver timeout period to kick in after 5 minutes for the HR department. So I edited the Group Policy and under User Configuration, Administrative Templates, Control Panel, Personalization, I set the ‘Screen saver timeout’ to 600 seconds. Then I ran GPUpdate /force on the HR computers to get the setting.” A common alternate ending to that story is replacing the GPUpdate /force command with rebooting the computer.
Neither rebooting the computer nor running GPUpdate /force are necessary. Group Policy updates happen all by themselves.
Group Policy Updates Itself
Yup, the Group Policy service on all domain-joined client computers regularly checks with Active Directory to see if anything has changed. If new or changed policies exist, they are applied to the computer. By default, Group Policy updates every 60 to 120 minutes, as well as during system startup.
The most efficient way to ensure faster application of Group Policy changes is to change how frequently the client checks with a domain controller. This uses the existing timing and infrastructure already built in to Group Policy. Running GPUpdate or rebooting the computers is not efficient in a large environment so these options simply don’t scale.
Changing the Group Policy Refresh Interval
An interesting coincidence is that the policy that configures this setting is itself built into Group Policy! You just need to know where it is and what the valid settings are.
The setting is in Group Policy under Computer Configuration\Administrative Templates\System\Group Policy. There are two separate settings:
- Group Policy refresh interval for computers configures all non-domain controller systems within the scope of the policy. By default this is set to every 90 minutes with a random time offset of 0 to 30 minutes, resulting in a refresh interval of 60 to 120 minutes per computer.
- Group Policy refresh interval for domain controllers targets only domain controller systems within the scope of the policy. By default this is set to every 5 minutes with no random time offset.
Change those settings and each computer will use the new settings beginning with the next Group Policy refresh.
Don’t Set the Refresh Very Low
Some administrators might want to crank this setting down as low as it will go to have computers update policy as fast as possible. That’s a really bad idea.
The policy refresh consumes resources on the client, the network, and the domain controller. The more frequently it runs, the more resources it consumes. The documentation defines the fastest possible refresh interval at 7 seconds. That setting will most likely result in unusable computers and CPU-bound domain controllers in very short order. In my experience, setting the computer interval to 60 minutes and reducing the offset to 10 minutes is sufficient to meet any regulatory or IT policy requirement while avoiding resource starvation on the systems.
Good luck and be careful with this one!
You May Also Like
Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2
This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments
In this video, Security Instructor Mike Danseglio demonstrates how to use BitLocker in Window 10 to secure files on a USB Flash drive that adhere to stricter data protection requirements as found inside Government entities. BitLocker 2-day instructor-led training is now available at Interface: BITLOCK: Planning and Deploying BitLocker Drive Encryption Training Video Transcription: Hi. … Continue reading Government Edition – Encrypting a USB Flash Drive in Windows 10