1
00:00:03,040 --> 00:00:06,730
Now I'm going to talk about some group policy processing mechanics.

2
00:00:07,660 --> 00:00:10,060
So essentially, let's just dig in here.

3
00:00:11,000 --> 00:00:15,980
I want to kind of lay out some rules around how group policy processing actually works, because I've

4
00:00:15,980 --> 00:00:18,830
seen a lot of misinformation about this over the years.

5
00:00:19,700 --> 00:00:24,140
And I think it's important to understand what you can and can't do with group policy.

6
00:00:25,060 --> 00:00:29,980
In the presence or absence of things like the network or access to domain controllers.

7
00:00:30,910 --> 00:00:37,030
So the first note I will make here is that group policy processing only, only, only runs in the presence

8
00:00:37,030 --> 00:00:38,260
of a domain controller.

9
00:00:39,150 --> 00:00:44,490
In other words, if the client cannot find a domain controller in the domain that it belongs to, it

10
00:00:44,490 --> 00:00:46,350
will simply not process policy.

11
00:00:47,250 --> 00:00:53,400
So if no DC is found, the engine just stops, throws up its hands and say, I'm sorry, I can't do

12
00:00:53,400 --> 00:00:53,940
any work.

13
00:00:54,810 --> 00:00:57,420
And no changes are made on the target system.

14
00:00:58,260 --> 00:01:03,090
And I think this is kind of an important point, because I've seen some people suggest that a way of

15
00:01:03,090 --> 00:01:06,990
overriding policy that's being delivered from your domain administrator.

16
00:01:07,890 --> 00:01:13,140
Is to simply disconnect the client from the domain or from the network, make a change to the local

17
00:01:13,140 --> 00:01:16,260
GPO, and then the change will take effect on the system.

18
00:01:17,100 --> 00:01:22,470
And the reality is, that's simply not true, that even if you make a change to the local GPO, the

19
00:01:22,470 --> 00:01:26,250
local GPO is part of the normal group policy processing cycle.

20
00:01:27,070 --> 00:01:28,820
And it will simply just be ignored.

21
00:01:28,840 --> 00:01:34,510
Any change that you make will be ignored by the client until the main controller gets into becomes available.

22
00:01:35,380 --> 00:01:40,360
And then, of course, if you try to make a change to the local GPO, that's circumventing a domain

23
00:01:40,360 --> 00:01:48,130
based GPO because of the LSW processing order, your local GPO change will simply get overridden.

24
00:01:49,030 --> 00:01:54,910
So it's kind of a key point to remember that that no group policy processing at all, local or domain

25
00:01:54,910 --> 00:01:57,940
based, will happen if there's no domain controller available.

26
00:01:58,810 --> 00:02:04,390
Now, in terms of finding a DC group policy, the group policy engine and group policy processing goes

27
00:02:04,390 --> 00:02:08,770
through the normal ADC locator process to find a DC in the same site.

28
00:02:09,700 --> 00:02:12,910
So it will always try to find a DC close to the client.

29
00:02:13,820 --> 00:02:19,280
And this is a good thing because as it's downloading policy information from AD and Cisco, you want

30
00:02:19,280 --> 00:02:23,150
that to be as close to the client as possible to have quick processing times.

31
00:02:24,020 --> 00:02:29,870
And then contrary to some other popular beliefs that I've seen, group policy is not really cached at

32
00:02:29,870 --> 00:02:31,490
all for offline processing.

33
00:02:32,330 --> 00:02:37,370
In other words, there's no such thing as group policy running while a DC is not present.

34
00:02:38,290 --> 00:02:43,300
And there is actually in Windows eight and above a group policy cache that was implemented.

35
00:02:44,180 --> 00:02:45,330
But it is not this.

36
00:02:45,350 --> 00:02:47,480
It is not for offline processing.

37
00:02:48,320 --> 00:02:53,930
It really is to simply speed up group policy processing in the case of a synchronous foreground processing

38
00:02:53,930 --> 00:02:54,440
cycle.

39
00:02:55,340 --> 00:03:00,740
So essentially, without getting into too many gory details, the way that works is on a Windows eight

40
00:03:00,740 --> 00:03:02,120
or 8.1 machine.

41
00:03:02,960 --> 00:03:08,000
If the client detects that it's doing a synchronous foreground processing cycle, for example, you

42
00:03:08,000 --> 00:03:13,160
have folder redirection or software installation policy that applies to the computer or the user.

43
00:03:14,070 --> 00:03:19,320
Then group policy will have previously cached the GPOs that apply to it and it will use those policy

44
00:03:19,320 --> 00:03:25,470
files out of the cache to process policy, to save time, to sort of make up for the fact that it's

45
00:03:25,470 --> 00:03:27,240
a synchronous processing cycle.

46
00:03:28,120 --> 00:03:32,620
But again, the cache is only called when synchronous processing is detected.

47
00:03:33,520 --> 00:03:36,100
So it's not quite the same as like a real cash.

48
00:03:37,020 --> 00:03:42,600
Another kind of behavioral change the group policy will go through is if a slow link has been detected

49
00:03:42,600 --> 00:03:44,580
between the client and the DC.

50
00:03:45,450 --> 00:03:51,630
Now by default that slow link is defined as less than 500 kilobits per second, which is pretty darn

51
00:03:51,630 --> 00:03:53,160
slow in this day and age.

52
00:03:54,030 --> 00:03:59,370
But if that kind of a link is detected and the test is that when the client is doing its DC discovery,

53
00:03:59,400 --> 00:04:03,600
it'll do a series of build up requests at the domain controller that it finds.

54
00:04:04,490 --> 00:04:10,550
And if those get calculated related out to a response time that equates to less than 500 kilobits per

55
00:04:10,550 --> 00:04:16,400
second, then it will set a flag in the engine that says, Hey, this is a slow link.

56
00:04:17,270 --> 00:04:20,960
If it's a slow link, then some policy areas will not run.

57
00:04:21,860 --> 00:04:27,620
So admin templates runs over a slow link and most of the security policy runs over a slow link.

58
00:04:28,520 --> 00:04:33,650
But there are definitely areas like software, installation, folder redirection and scripts that do

59
00:04:33,650 --> 00:04:35,780
not run over a slow link by default.

60
00:04:36,680 --> 00:04:39,260
Now you can modify those behaviors.

61
00:04:40,140 --> 00:04:42,610
And also the slow link threshold itself.

62
00:04:42,660 --> 00:04:45,060
That 500 kilobits per second value.

63
00:04:45,090 --> 00:04:46,530
Within this policy area.

64
00:04:46,560 --> 00:04:48,690
Under computer configuration policies.

65
00:04:48,690 --> 00:04:49,530
Admin templates.

66
00:04:49,530 --> 00:04:49,920
System.

67
00:04:49,920 --> 00:04:50,760
Group policy.

68
00:04:51,630 --> 00:04:55,740
But by default, those policy areas will not run over a slow link.

69
00:04:56,610 --> 00:05:02,490
And keep in mind that this goes back to the days where 500 kilobits per second was actually pretty darn

70
00:05:02,490 --> 00:05:03,060
fast.

71
00:05:03,930 --> 00:05:09,330
And in the case of something like software installation, did you really want Microsoft Office installing

72
00:05:09,330 --> 00:05:10,680
over a very slow link?

73
00:05:11,560 --> 00:05:12,640
Probably not.

74
00:05:13,540 --> 00:05:16,750
So I don't see these getting hit in this day and age very often.

75
00:05:16,840 --> 00:05:21,670
But they are available and it is good to know that in the case of a slow link, for whatever reason,

76
00:05:22,540 --> 00:05:26,100
you know, you've got a slow link between your client and your DC.

77
00:05:26,110 --> 00:05:29,770
You may not see these policy areas getting processed successfully.

78
00:05:30,610 --> 00:05:37,120
Now group policy over VPN is another I won't call it a fringe case because of a lot of people use VPNs,

79
00:05:37,300 --> 00:05:40,030
but it's problematic to some degree for group policy.

80
00:05:40,940 --> 00:05:46,220
So if you think about foreground computer processing, which is it machine start up, that's not going

81
00:05:46,220 --> 00:05:48,350
to work unless ADC is available.

82
00:05:49,230 --> 00:05:55,230
As I said, and a DC is not going to be available unless the VPN client is pinned up at the time that

83
00:05:55,230 --> 00:06:01,380
the machine is booting, which is not usually the case unless you've got an external VPN connection

84
00:06:01,380 --> 00:06:04,140
between wherever that client is in your DC.

85
00:06:05,040 --> 00:06:06,360
So that's one issue.

86
00:06:07,230 --> 00:06:13,920
The other issue is that on foreground user processing, which is that user log on, this is not going

87
00:06:13,920 --> 00:06:19,920
to work either if the VPN is not already pinned up because the DC again has to be available for user

88
00:06:19,920 --> 00:06:21,240
processing to complete.

89
00:06:22,170 --> 00:06:26,670
So if you have that option, you've defined a VPN connection in your Windows system.

90
00:06:27,540 --> 00:06:32,960
You have that option, that tick box at the log on screen that says, you know, connect to my VPN,

91
00:06:32,970 --> 00:06:37,440
ID, log on, then you will get group policy processing for the user.

92
00:06:37,480 --> 00:06:40,200
Foreground processing for the user happening.

93
00:06:41,040 --> 00:06:46,860
And again, group policy processing in the background has no issues if the VPN is connected.

94
00:06:47,760 --> 00:06:53,490
So you know, you're booted up, you're logged in, your VPN is connected and that 90 minute plus 30

95
00:06:53,490 --> 00:06:57,120
minute random offset happens and background processing kicks off.

96
00:06:58,010 --> 00:07:01,550
Well, that's going to run just fine if the vpn's installed.

97
00:07:02,440 --> 00:07:08,050
But again, there are some policy areas like software installation and folder redirection that simply

98
00:07:08,050 --> 00:07:09,760
aren't going to run in the background.

99
00:07:10,640 --> 00:07:14,450
And then finally, some policy area processing differences.

100
00:07:15,370 --> 00:07:21,250
Again, I mentioned some policy areas won't run over slow links like software, installation folder,

101
00:07:21,250 --> 00:07:22,360
redirection scripts.

102
00:07:23,260 --> 00:07:29,080
Some policy areas don't run in the background folder redirection software installation and prior to

103
00:07:29,080 --> 00:07:36,520
Windows 8.1, GP preferences, drive mappings and all policy areas won't process unless something has

104
00:07:36,520 --> 00:07:38,350
changed in that GPO list.

105
00:07:39,250 --> 00:07:44,890
Then again, you can override this on a per year basis using that policy area that I mentioned in the

106
00:07:44,890 --> 00:07:45,910
previous slide.

107
00:07:46,780 --> 00:07:52,210
So just some oddities about group policy processing behavior that are important to note to ensure if

108
00:07:52,210 --> 00:07:54,820
that policy's getting delivered the way you expect.