Man if it were me I'd try to get up to XP sp2. Vista is a bit bleeding
edge and many of my LOB stuff isn't ready yet...but 2000... most of the
zero day stuff works very nicely on that platform.
Graham Turner wrote:
Darren, thanks as ever 4 post reply
this confirms my thoughts / fears !!
vista, looks interesting - stuck with Windows 2000 for now
i guess we will need to stuff enough of the settings that we need to get the
computers to some sort of functional state into local group policy.
the big one for me is a user startup script - presumably we can put this into a
local startup script that is functionally equiv to the group policy startup
script
GT
ps did try to subscribe to gpoguy.com mail list last night but nothing back
from the
request - ??
Hey, since when is GP not related to AD? GP is the reason AD is so
popular... Anyone shoots you down for it, they'll have to answer to the
gpoguy :-)
In Win2K, XP, and 2003, if there is no connectivity to a DC when computer
*foreground* processing occurs (this is the processing that occurs at
computer startup) then GP processing simply fails. After that, you're
correct to say that during the next scheduled background processing cycle,
GP will refresh. This could be as long as 120 minutes (90 minutes plus up to
30 minute randomized value). Note that you can reduce this background
interval to as low as every 7 seconds (not that you'd want to) via policy.
However, its important to note that some policy requires a foreground
processing cycle (software installation or startup scripts in some cases
come to mind) so if the DC is never available during boot, these policies
will never process.
Now, Vista does something new. Vista has something called an "NLA refresh"
(well that's what I call it). Vista uses an entirely different, and more
dynamic mechanism for detecting the presence of a DC. What Vista says with
respect to GP refresh is, "if the last GP processing cycle failed, then as
soon as I detect that the DC is back online, I will trigger a background
policy refresh". So, it doesn't help with the foreground issues stated
above, but does significantly reduce the refresh time of up to 120 minutes.
Hope that helps.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com
-- the best source for GPO FAQs, video training, tools and whitepapers. Also
check out the Windows Group Policy Guide, the definitive resource for Group
Policy information.
Group Policy Management solutions at www.sdmsoftware.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Wednesday, November 22, 2006 4:46 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] computer policy processing -retry behaviour
this is query re processing of computer group policies. i note that not
strictly AD
related so i hope not to get 'shot down' !
i wanted to get a view on the 'retry' behaviour of the WIndows 2000 group
policy
engine, in a scenario of a user-initiated VPN, in which domain controller
connectivity is not available until some time after user logon.
this will impact the processing of computer polices that would normally be
downloaded and processed prior to CTRL-ALT-DEL
presumably, the initial computer policy processing would fail and only
refresh on
the next scheduled interval ??
OR does the GP engine attempt more aggressively to download policies on the
basis of
an initial failure ?
if not it seems there are going to be major issues in endpoint config on the
basis
of any machine policies not being processed some way after user logon
Help on this gladly received.
GT
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
