Experience of network management: a discussion on the experience of Group Policy related fault scheduling

For a network administrator, the most common complaint about Group Policy is: "I set a policy, why doesn't it work?". For some relatively large network environment, Group Policy can reduce the management of network administrators, but the probability of the problem is relatively large. This is due to our carelessness in our day-to-day operations, and, on the other hand, to the effect that the final result is inconsistent with the idea.

Key to Group Policy application

Here, I give a few things Microsoft does not recommend the practice:

1. Do not delete the two default policy (Default Domain policy and Default domain Controller policy), and many problems occur because of the deletion of the two default policies. Also, use the Group Policy Management Console (GPMC) tool to back up these two default policies for future restores. If you delete the default policy directly through the GPMC, we will find it unworkable, but some experienced readers know how to delete them. Since it is an deprecated practice, I hope you will not delete them.

2. Group Policy cannot be linked to a user group. There are many administrators who contact the Active Directory for the first time, and it is not feasible to assume that Group Policy is in effect for a user group. Group Policy is not a policy set for a group of users, but a collection of policies that can only be linked to sites, organizational units, and domains.

3. Issue of Group Policy entry into force

(1) Order of entry into force

Normal effective Order: Local policy → site policy → domain policy → parent ou policy → Sub-ou policy.

When we use it, there is a "apply security policy" Prompt before the Login dialog box appears, which is the process that the local policy takes effect.

When a conflict occurs, the latest policy setting overrides other settings. Computer settings are higher than user settings, even if the user settings are set later. The parent container Group Policy setting conflicts with the child container settings, and the setting of the Group Policy in the child container will eventually take effect. Multiple policies for the same container take effect in the order of precedence. So, when multiple GPOs are chained to a container, you may wish to look closely at their order, and it is possible that the problem is caused by improper sequencing.

(2) Effective time

By default, a non-domain controller's computer refreshes its policy every 90 minutes with a random 30-minute time offset, which guarantees that multiple computers will not be connected to the same domain controller at the same time. Domain controllers are refreshed every 5 minutes, ensuring that Group Policy settings (security settings) for emergency updates are performed in a timely manner and can be changed within the Domain Controllers Group Policy refresh interval (Figure 1).

Figure 1 "Domain Controllers Group Policy refresh interval" make changes

In Windows 2000, you can use the Secedit/refreshpolicy machine_policy or the Secedit/refreshpolicy user_policy command to force a flush, in Windows XP or Windows 2003 uses Gpresult/force to force the flush. If the new settings do not take effect, consider whether the refresh interval is a problem.