لطفا منتظر باشید ...
GPO IMPLEMENTATION
The previous sections of this chapter provide some understanding of Group Policy application and usage. Before we discuss actually implementing GPO, there are a few systemic issues to address regarding Group Policy behavior.
Refreshing Policy Settings
Understanding the basic Group Policy refresh schedule is helpful when changing group policies on your local system. Once a group policy has been changed on a domain controller, the group policies on the local system must be refreshed in order to take effect. Client computers that are not domain controllers receive policy refreshes every 90 minutes plus or minus a random time interval. The random interval helps distribute client requests evenly so that they do not all come in at the same time. To change the interval in a GPO, select Computer Configuration Administrative Templates System Group Policy Group Policy refresh interval for computers (Figure 8.30).
Figure 8.30. Setting Client Group Policy Refresh Intervals
Domain controllers refresh group policies more frequently. The default Group Policy setting for DCs, via Computer Configuration Administrative Templates System Group Policy Group Policy refresh interval for domain controllers, sets the refresh interval for every 5 minutes (Figure 8.31). This is why successive examples should be executed on a domain controller.
Figure 8.31. Setting Domain Controller Group Policy Refresh Intervals
NOTESecurity policy refresh can be instigated from the command line. The gpudate command has replaced secedit utility. Use secedit for Windows 2000 servers and gpupdate for Windows 2003 servers. These commands are discussed in the appendix; its basic forms are:
Group policies are also refreshed when the system is started. Obviously, shutting down and booting a system could prove troublesome when simply trying to refresh policy settings.
secedit /refreshpolicy machine_policy /enforce (for Windows 2000 computer settings)
secedit /refreshpolicy machine_policy /enforce (for Windows 2000 user settings)
gpupdate /enforce (Windows Server 2003)
PDC Operations Manager
In addition to performing the functions of the primary domain controller (PDC Emulator), the PDC Operations Manager is the default domain controller that handles Group Policy modifications. When the PDC Operations Manager is not available, an error message is displayed and the administrator may select another domain controller to handle changes. When you do this, be sure that all previous Group Policy changes have propagated throughout the domain and that no other administrator is currently making modifications.
