There is no question that Group Policy inside Active Directory is the most efficient and logical way to configure and maintain security for all of your domain controllers, servers, and desktops. The question becomes how to maintain and control the application of the security settings, as well as the refresh of settings that you make in a Group Policy object (GPO)? There are many ways to control how security settings are refreshed and controlled, some of which are already occurring on your network now and can be tweaked if you want to go down that path. This article will go into the different methods that are available for controlling how security settings refresh and apply from Group Policy.
Which Settings are Security Settings?
To make sure that we are all on the same page, I wanted to make sure that everyone knew exactly what fell under “security settings” within a Group Policy object. If you open up a standard GPO on a Windows Server 2008 computer, you would need to expand the Computer Configuration|Policies|Windows Settings|Security Settings node to see all of the security related settings that I am referring to for this article (There are a few settings that fall under User Configuration|Policies|Windows Settings|Security Settings, but they are not used often, but do also fit into this category), as shown in Figure 1.
Figure 1: Security settings in a standard Group Policy object
The reason that all of these settings fall under this category is because they are all controlled by the Security Client Side Extension (CSE). We will see that the Security CSE can be controlled separately from the other CSEs and behaves a bit different than the others as well.
Manual Refreshing
Group Policy has an automatic background refresh, but in some cases the interval is not fast enough for the settings that you want to deploy. In this case, Group Policy refresh can be triggered by a simple command, which is very helpful during times when you are testing or wanting to get a setting to a computer immediately. In order to refresh Group Policy (which will include the security settings), you will run GPUPDATE from a command prompt. For computers that are joined to a domain, this will apply all new settings from the local and Active Directory based GPOs.
If you have NOT made any changes to the GPO that contains your security settings, but still want the settings to apply manually, you can use the /force switch with the GPUPDATE command. This switch will force the application of all GPO settings without considering the GPO version number or updates to the GPO. It will just reapply all settings contained in all GPOs.
Note: If you want to use a manual refresh to deploy security settings (or any other settings for that matter) from a central location, look into GPUPDATE by Special Operations Software (www.specopssoft.com). Oh, BTW… this is free!
Automatic Background Refresh
Group Policy has an awesome feature which is to constantly apply in the background, without a user needing to logoff and back on, or a computer to be rebooted. By default background refreshes occur approximately every 90 minutes. This is a 90 minute base refresh time, with a 30 minute offset. This automatic background refresh is controlled by a GPO setting under the Computer Configuration|Policies|Administrative Templates|System|Group Policy node. The setting that you would configure to modify the default background refresh settings is the Group Policy refresh interval for computers, as shown in Figure 2.
Figure 2: Group Policy refresh can be altered with this policy setting
My point with showing you this setting is not that you should alter it here. There are a few good reasons not to do that. First, every 90 minutes is good enough for GPO refresh. Second, if you alter the background refresh interval, it will affect all CSEs, not just the security settings. This could cause some dramatic performance issues on all computers on the network, which is not something you want to do, of course!
What you might want to do with regard to the security settings during a background refresh is ensure they apply each time. This is not necessary due to the way security settings behave on another interval (see next section), however, if you have a situation where users are configured as administrators on their desktop, it is not a horrible idea to consider forcing all security settings to apply each time Group Policy refreshes in the background. To make this setting for security settings in a GPO, head to Computer Configuration|Policies|Administrative Templates|System|Group Policy. There you will find a policy named Security policy processing, which is shown in Figure 3.
Figure 3: Security settings can be forced to apply each time GPO applies
By checking the Process even if the Group Policy objects have not changed you will only be triggering the security settings to apply each time, not each CSE.
Security Settings “Unique” Background Refresh
With over 30 CSEs, a GPO is constantly doing work on your network. The one CSE that is unique, however, is the security setting CSE. This CSE behaves like the other CSEs, except for the fact that every 16 hours the security settings CSE applies all settings in all GPOs regardless of a change occurring to the GPO. This differs from other CSEs with the fact that if no settings change in a GPO, the GPO settings do not reapply.
This is a great feature and one that can be altered. Unlike the other settings that I have shown to you in this article, this setting is NOT a GPO setting. Rather, it is a registry setting. If you want to tweak this setting yourself, you can do so by modifying the MaxNoGPOListChangesInterval which is located in the registry:
HKLM \ Software | Microsoft | Windows NT | CurrentVersion | Winlogon \ GPExtensions | {827D319E-6AC-11D2-A4EA-00C04F79F83A}
(Note: This long string of characters is the GUID for the Security CSE.) You can see this path and the key interval setting in Figure 4.
Figure 4: Security CSE Registry settings, including the MaxNoGPOListChangesInterval value
Note:
The MaxNoGPOListChangesInterval Registry value is input as a DWORD value and has units of minutes. If you want 16 hours, that is 960 minutes in the Registry.
Summary
If security is essential for your organization and you use Group Policy to implement security, you can gain more control over how Group Policy delivers security settings. You have many options to force and control refreshes, and even ensure security settings are consistent over time with Group Policy. There are manual methods that can be controlled at the target computer, as well as solutions that plug directly into the Active Directory Users and Computers tool to manage updates to Group Policy from a central location, such as those by Specops. If you want your security settings to refresh at each background refresh, you can tweak the CSE setting to ensure that this occurs. Finally, you can alter the periodic special security background refresh which normally occurs every 16 hours. With all of this control, your security on servers and desktops should be intact and exactly what you want it to be at all times.
