1
00:00:00,390 --> 00:00:05,170
It's important to understand how group policies apply on client computers.

2
00:00:05,190 --> 00:00:13,110
The steps are as follows First when a group policy refresh begins a service that is run on all on all

3
00:00:13,200 --> 00:00:20,310
windows based computers known as Group Policy client service in Windows Vista and later and Windows

4
00:00:20,310 --> 00:00:22,500
2000 eight and later.

5
00:00:22,560 --> 00:00:28,280
So this service determines which GPO is applied to the computer or user.

6
00:00:28,290 --> 00:00:35,480
Second the group policy client service downloads and a GP those that are not cached already.

7
00:00:35,620 --> 00:00:37,190
Third group policy.

8
00:00:37,180 --> 00:00:44,610
Client site extensions interpret the sentence in GPO and make appropriate changes to the local computer

9
00:00:44,670 --> 00:00:47,260
or to the currently signed end user.

10
00:00:47,280 --> 00:00:52,350
There are client side extensions for each major category of policies set in.

11
00:00:52,350 --> 00:00:59,480
For example there is a security line site extension that applies security changes airline side extensions

12
00:00:59,490 --> 00:01:08,180
that exact start up and log on scripts as C as e that installs software and the client side extension

13
00:01:08,190 --> 00:01:11,490
that makes changes to registry keys and values.

14
00:01:11,520 --> 00:01:18,300
Each Windows operating system version has added client side extensions to extend the functional reach

15
00:01:18,300 --> 00:01:25,290
of group policy and there are several dozen client sites extensions in Windows operating systems.

16
00:01:25,290 --> 00:01:32,580
One of the more important concepts to remember about group policy is that it is a client driven group

17
00:01:32,580 --> 00:01:40,480
policy client service pools GPO was from the domain triggering the client side extensions to license

18
00:01:40,530 --> 00:01:44,300
locally group policy is not a push technology.

19
00:01:44,310 --> 00:01:50,610
You can see the installed client side extensions on a computer by allocating the appropriate register

20
00:01:50,630 --> 00:01:51,330
key.

21
00:01:51,330 --> 00:01:54,210
It is located in each key local machine.

22
00:01:54,210 --> 00:01:59,740
Microsoft Windows and teh current version of Vin Logan GP extension extensions.

23
00:01:59,880 --> 00:02:04,190
You can configure the behaviour of client side extensions by use and group politics.

24
00:02:04,230 --> 00:02:10,320
Most client side extensions supplied settings in a GPO only if the GPO has changed.

25
00:02:10,380 --> 00:02:16,830
This behaviour improves overall policy process and by eliminating redundant applications of the same

26
00:02:16,830 --> 00:02:24,900
settings most policies apply in such a way that standard users cannot change the setting on their computer.

27
00:02:24,900 --> 00:02:30,300
They always will be subject to the configuration enforced by group policy.

28
00:02:30,420 --> 00:02:37,020
However standard users can change some settings and a user can change many settings if that user is

29
00:02:37,020 --> 00:02:38,910
an administrator of the system.

30
00:02:38,910 --> 00:02:44,760
If users in your environment are administrators on their computers you should consider configure and

31
00:02:44,760 --> 00:02:48,200
client site extensions to reapply policy settings.

32
00:02:48,210 --> 00:02:55,320
Even if the GPO has not changed that way if an administrative user changes the configuration so that

33
00:02:55,320 --> 00:03:01,920
it is no longer compliant with policy the configuration will be reset to its compliance state as the

34
00:03:01,920 --> 00:03:07,980
next group policy refresh to configure such client site extensions to reply policy settings.

35
00:03:07,980 --> 00:03:15,600
You can do that by configuring a GPO scoped to computers and then defining the settings in the computer

36
00:03:15,600 --> 00:03:22,770
configuration policies administrative templates system group policy node for each client site extension

37
00:03:22,800 --> 00:03:29,620
that you want to configure open its policy process and policies set and such as registry policy process

38
00:03:29,620 --> 00:03:35,690
and for the registry CSC click enabled and then select the process.

39
00:03:35,730 --> 00:03:42,900
Even if the group policy objects have not changed checkbox now the security line site extension manages

40
00:03:42,990 --> 00:03:49,170
an important exception to the default policy process and certainly the security line site extension

41
00:03:49,400 --> 00:03:53,420
reapply security settings every 16 hours.

42
00:03:53,430 --> 00:04:00,960
Even if a GPO hasn't changed as a note here enable that all this wait for network at startup and log

43
00:04:00,960 --> 00:04:04,460
on policies set in for all vendors based clients.

44
00:04:04,530 --> 00:04:11,580
Without this set and by default Windows XP and later clients will form refreshes asynchronously the

45
00:04:11,580 --> 00:04:14,550
user resides in a use and cached credentials.

46
00:04:14,550 --> 00:04:21,720
The benefit is that the desktop is quicker to display and user can start to work without waiting for

47
00:04:21,720 --> 00:04:23,400
group policy to apply.

48
00:04:23,400 --> 00:04:29,730
This means that when the client computer starts up and the user assigns them they do not receive the

49
00:04:29,730 --> 00:04:36,390
latest policies from the domain group policy will perform a refresh in the background after the user

50
00:04:36,390 --> 00:04:43,500
assigns them so they said and is located in computer configuration policies administrative templates

51
00:04:43,680 --> 00:04:45,090
system log on.

52
00:04:45,090 --> 00:04:51,390
Be sure to read the policy settings explanatory attacks the setting changes the group policy process

53
00:04:51,390 --> 00:04:58,970
and to synchronous mode which might make process and slower but it ensures a more consistent environment.

54
00:04:58,980 --> 00:05:05,740
Some words about policy refresh policies settings and computer configuration note apply it system start

55
00:05:05,740 --> 00:05:13,870
up and then every 90 to 120 minutes thereafter policies set in the user configuration node.

56
00:05:13,940 --> 00:05:22,460
Apply it sign in and then every 90 to 120 minutes thereafter the application of policies is called Group

57
00:05:22,460 --> 00:05:31,760
Policy refresh the refresh that years at system startup and to user sign in is also referred to as foreground

58
00:05:31,760 --> 00:05:41,290
to refresh the periodic refresh that occurs every 90 to 120 minutes and manual refreshes are both referred

59
00:05:41,290 --> 00:05:43,630
to as background refreshes.

60
00:05:43,670 --> 00:05:50,940
Some client side extensions only apply settings during foreground process and of course you can always

61
00:05:50,960 --> 00:05:55,290
force a policy refresh by using the GP update command.