In a previous series of articles on Windows Server 2003 group policy, I described what group policies are and how they work. The next question to ask is ‘How does Windows Server 2003 apply group policies?’
Before you can fully understand the implications of group policies, you need to see how Windows Server 2003 applies them. In this series of articles, I’ll look at how Windows Server 2003 applies the group policies you create.
Which comes first?
Windows Server 2003 processes the local group policy object (GPO) first, followed by the site, domain, and applicable organizational units (OUs). The client requests a GPO list from the domain controller (DC) and then processes that list to apply the policies contained in the GPO(s). The client processes the GPOs according to the priority in the DC-supplied list. Windows Server 2003 processes GPOs at startup, logon, and when the GPO refresh period is reached, which by default is 90 minutes.
One the client side, a group of DLLs — referred to as client-side extensions — perform the group policy processing. Each DLL is responsible for specific policies. Below is a list of the client-side extensions and the policies they process.
- Registry: Userenv.dll
- Disk Quota: Dskquota.dll
- Folder Redirection: Fdeploy.dll
- Scripts: Gptext.dll
- Software Installation: Appmgmts.dll
- Security: Scecli.dll
- IP Security: Gptext.dll
- EFS Recovery: Scecli.dll
- Internet Explorer Maintenance: Ledkcs32.dll
- Remote Installation Services: None
Each GPO can include policy settings for both User Configuration and Computer Configuration. The client gives precedence to the Computer Configuration policies over the User Configuration policies by processing the User Configuration policies first. In some situations, this precedence can cause unexpected results. For example, a user’s computer might reside in one OU and the user account in a different OU. So how do you determine which GPO is applied? Group policy loopback lets you control that behavior.