The client-side extensions are loaded on an as-needed basis when a client computer is processing policy. The client computer first gets a list of Group Policy objects. Next, it loops through all the client- side extensions and determines whether each client-side extension has any data in any of the GPOs. If a client-side extension has data in a GPO, the client-side extension is called with the list of Group Policy objects that it should process. If the client-side extension does not have any settings in any of the GPOs, it is not called.
Computer Policy for Client-Side Extensions
A computer policy exists for each of the Group Policy client-side extensions (located in Computer Configuration\Administrative Templates\System\Group Policy). Each policy includes a maximum of three options (check boxes). Some of the client-side extensions include only two computer policy options; in those cases, this is because the third option is not appropriate for that extension. The computer policy options are:
• Allow processing across a slow network connection. When a client-side extension registers itself
with the operating system, it sets preferences in the registry, specifying whether it should be called when policy is being applied across a slow link. Some extensions move large amounts of data, so processing across a slow link can affect performance (for example, consider the time involved in installing a large application file across a 56 Kbps modem line). An administrator can set this policy to mandate that the client-side extension should run across a slow link, regardless of the amount of data.
• Do not apply during periodic background processing. Computer policy is applied at boot time, and
then again in the background, approximately every 90 minutes thereafter. User policy is applied at user logon, and then approximately every 90 minutes after that. The Do not apply during periodic
background processing option gives the administrator the ability to override this logic and force the
extension to either run or not run in the background. Note: the Software Installation and Folder Redirection extensions process policy only during the initial run because it is risky to process policy in the background. For example, with Software Installation application upgrades, applications are installed during the initial run and not in the background. If it were done in the background, a user could be running an application, and then have it uninstalled and a new version installed. The application could also have a shared component that is in use by another application. This would prevent the installation from completing successfully.
• Process even if the Group Policy Objects have not changed. By default, if the GPOs on the server
have not changed, it is not necessary to continually reapply them to the client, since the client should already have all the settings. However, local administrators may be able modify the parts of the registry where Group Policy settings are stored. In this case, it may make sense to reapply these settings during logon or during the periodic refresh cycle to get the computer back to the desired state.
For example, assume that you have used Group Policy to define a specific set of security options for a file. Then the user (with administrative credentials) logs on and changes it. The Group Policy
administrator may want to set the policy to process Group Policy even if the GPOs have not changed so that the security is reapplied at every boot. This also applies to applications. Group Policy installs an application, but the end user can remove the application or delete the icon. The process gives the administrator the ability to restore the application at the next user logon, even if the Group Policy
Note that, by default, security settings are applied every 16 hours (960 minutes) even if a GPO has not changed. It is possible to change this default period by using the following registry key:
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtentions\{82...}\MaxNoGPOListChangesInterval, REG_DWORD, in number of minutes.
The following table lists the client-side extensions that include only two computer policy options, as well as the reason for this.
Client-side extension
Missing policy check box Reason
Registry Slow link (Allow processing across a slow network connection)
Registry policy is always applied because it controls the other client-side extensions.
Security Settings Slow link (Allow processing across a slow network connection)
To ensure that security settings are in effect, they must always be applied, even across a slow link.
Folder Redirection
Background processing (Do not apply during periodic background processing)
Users’ files could be in use while they are logged on.
Software Installation
Background processing (Do not apply during periodic background processing)
Users’ software could be in use while they are logged on.
Policy Settings for Group Policy
You can use administrative templates to configure how you use Group Policy. Policy settings are located in the following areas of the Group Policy Object Editor:
• Computer Configuration\Administrative Templates\System\Group Policy
• User Configuration\Administrative Templates\System\Group Policy
For details on these policy settings, double-click the policy in the details pane, and then in the policy