Introduction
Group Policy, like all other Microsoft technologies seems to change names and features, while the underlying technology remains the same. This change in name often gives the impression that the technology has changed, when it really has not changed at all. Take for example the concepts within Group Policy. There is a need to ensure that Group Policy refreshes, no matter what the state of the Group Policy settings are. This ensures that the new and already applied settings are applied again. However, as it came to my attention just this week, there is confusion in the industry about what each different option within Group Policy does with regard to applying Group Policy. With that said, we are going to tackle the past and present of enforcing Group Policy to apply, so that all policy settings are applied.
The Foundation of Group Policy Processing
Group Policy is a technology that has two different ways it can check for updates to a Group Policy Object. First, there is a foreground refresh, which is only performed for a user at logon and for a computer at start up. Second, there is a background refresh which occurs automatically for both the user and computer portion of the Group Policy Object and applies approximately every 60 minutes, with a variable offset of 0 to 30 minutes.
During these refresh periods the processing behavior controls how settings are applied from the Group Policy Objects. There are two scenarios for which this processing evaluates. First, if there have been no changes to any Group Policy Object settings, the version for each Group Policy Object will be the same as the last time the policy was processed, thus nothing in Group Policy will update to the target computer. The second scenario is when something has changed in any Group Policy object. If a setting has changed in any Group Policy Object then all of the settings in all Group Policy Objects will update. This is triggered due to a change in version number of the Group Policy Object with the changed policy. The version number is stored in the domain controller under the C:\Windows\Sysvol\Sysvol\<domain name>\Policies\<GUID of GPO> folder in a file named gpt.ini. When the Group Policy Object updates the target computer, the version number of the Group Policy Object that was applied is stored in the Registry.
“Enforce” in Windows 2000 Era
Back in the Windows 2000 era of Group Policy, there was a way to refresh policy without having to logoff/logon or restart the computer. It was a command line option, which started with secedit. You had to either refresh the computer or user portion of the Group Policy Object. If you were to just refresh the policy using this command, it would use the option, as listed above, to look at the version number and only update policy if the version number had changed. In order to ignore the version number and reapply all settings, even if no version number on any Group Policy Object had changed, you would have added the /enforce switch to the command. That would have looked something like this:
secedit /refreshpolicy machine_policy /enforce
“Enforced” in the Windows Server 2003 and Later Era
When Microsoft released Windows XP and Windows Server 2003 (and all later operating systems), they also included as an option, and preferred management tool named the Group Policy Management Console (GPMC). The GPMC does not run on Windows 2000, but does on all operating systems after 2000. Within the GPMC there is an option labeled “Enforced” which is associated with Group Policy Objects. You can see this option in Figure 1.
Figure 1: Enforce on a Group Policy Object in the GPMC.
Although this option uses the same word, ”Enforce”, as the previous Windows 2000 command line option, it has totally different meaning, scope, and function within Group Policy. The “Enforced” within the GPMC controls how the Group Policy Object and the settings within the Group Policy Object are handled with regard to precedence of the settings. In short, when all GPOs apply from Active Directory, those GPOs that are linked to organizational units (OUs) have the highest precedence, then those linked to the domain, and finally those linked to Active Directory sites. Local GPOs on the target endpoint have the weakest precedence of all. What this means is that if there is a conflicting setting within two GPOs at different levels, the setting within the highest precedence GPO will “win” and be applied over the setting in the GPO that has lower precedence. It does not mean that all settings in the GPO that has the “Enforced” flag configured for it will be applied regardless of version number of the GPO.
“Force” in the Windows Server 2003 and Later Era
Starting with Windows XP and Windows Server 2003, the secedit command neither included the option to “refreshpolicy” nor the “enforce” switch. Instead, the secedit command and the lengthy switches that once were used to update policy on a target computer were replaced with gpupdate. Gpupdate run alone will update both the user and computer portion of the GPO, but only if there is a change to a GPO version. Just like the secedit command without the /enforce switch. Policy relies on the version number of the GPO in order to determine if there has been a change to trigger the new policies to be applied.
With the new gpupdate, you would add the /force switch to the command in order to apply all policy settings from all GPOs, ignoring the version number of the GPOs. There is no reason to use the switches to apply to user or computer, as gpupdate alone will apply to both portions. However, if you want to just update one part of the GPO, you can add in switches.
Summary
All Microsoft techies and administrators know fully that terminology changes from operating system to operating system and from interface change to another. We expect that to happen, but certainly we don’t like it. The inner workings of Group Policy and the “Enforce”, “Enforced”, and “Force” options are no different. Each seem like they might have similar actions, due to the common word “force” in them, but it is not the case in this instance. The worst part of having a terminology change is that an admin that understands the first term might assume that the next term has the same meaning, as it is so close and “who would name a different technology of function so close to an original technology or function?” Well, it happens and Group Policy is the victim here. So, make sure that you use the “Enforced” option within the GPMC correctly, as it has nothing to do with “forcing” policy updates regardless of version number. Instead, “Enforced” will force the policy settings to “win” any conflicts with other GPOs that have the same setting, yet the GPO has higher precedence. It is the “Force” switch used with the gpupdate command that ensures that all GPO changes apply to the target computer if there are no changes to a GPO version number.
