How To Optimize Group Policy for Logon Performance in Windows 2000 (315418)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
This article was previously published under Q315418 SUMMARY This article describes how to optimize and configure Group
Policy to increase logon performance. When you start a Windows
2000-based computer that is a member of a domain, group policy settings from
the "Computer Settings" section of linked Group Policy objects (GPOs) are
processed and applied to the computer. Additionally, when you log on to the
domain, all group policy settings from the "User Configuration" sections of
each linked GPO are processed and applied. Because Windows takes time to apply
each policy setting, policy settings may slow the logon process, which can
result in a delay from the time that you start the computer to the time that
you are able to use the computer. This article describes methods that you can
use to minimize this delay.
back to the top
How to Reduce the Number of Processed GPOs Windows 2000 startup and logon times are directly proportional to
the number of GPOs that must be processed. GPOs that are linked to either a
site, a domain, or an organizational unit are processed by all computers and
users in either those sites, domains, or organizational units. To reduce
processing time for these group policy settings, use any of the following
methods:
- Use organizational units.
- Combine group policy settings.
- Filter Group Policy based on security group
membership.
- Disable portions of group policy settings.
back to the top
How to Use Organizational Units Use organizational units to distribute group policy settings in a
more granular form. When you link GPOs to organizational units, you can
minimize the processing of unnecessary GPOs. To create a GPO for an
organizational unit, follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Click to expand the domain, right-click the organizational
unit that you want to configure, and then click Properties.
- Click the Group Policy tab, and then click New.
- Type a descriptive name for the GPO in the New Group Policy Object box, and then press ENTER.
- Click Properties, and then click the Security tab.
- Click to clear the Apply Group Policy check box in the Allow column for the security groups to which you do not want to apply
this policy setting, click to select the Apply Group Policy check box in the Allow column for the groups to which you want to apply this policy
setting, and then click OK.
- Click Edit, and then configure the policy setting that you want to use.
- When you are finished configuring the policy setting, quit
the Group Policy snap-in, and then click Close.
- Quit the Active Directory Users and Computers
snap-in.
back to the top
How to Combine Group Policy Settings It takes longer for Windows to process many small GPOs than it
does to process a few large GPOs. To reduce the time that it takes to log on to
the domain, combine the settings of several GPOs to create a single large
policy setting.
back to the top
How to Filter Group Policy Based on Security Group Membership Windows processes all linked group policy settings to determine
the effective policy setting to apply either to the computer or to the user
account that is logging on to the domain. If a GPO is not relevant to a
particular user or group, you can edit security permissions so that GPOs that
you select are not processed:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Do one of the following steps:
- If you want to edit the security settings of a GPO that
is linked to the domain, right-click the domain, and then click Properties.
- If you want to edit the security settings of a GPO that
is linked to an organizational unit, click to expand the domain, right-click
the organizational unit, and then click Properties.
- Click the Group Policy tab, click the GPO that you want configure, and then click Properties.
- Click the Security tab.
- Click to clear the Apply Group Policy check box in the Allow column for the security groups to which you do not want to apply
the policy setting, and then click to select the Apply Group Policy check box in the Allow column for the groups to which you want to apply this policy
setting.
NOTE: To restrict the application of a GPO based on security group
membership, you must remove both the Authenticated Users group and the Everyone
group from the Name list if they are present. If loopback processing has been
enabled, click the following article number to view the article in the
Microsoft Knowledge Base and read about additional instructions. Find the
sentence that begins "The machine account of the terminal server."260370 How to Apply Group Policy Objects to Terminal Services Servers
- Click OK, and then click OK.
- Quit the Active Directory Users and Computers
snap-in.
back to the top
How to Disable the Unused Section of Group Policy Settings GPOs contain a "Computer Configuration" section and a "User
Configuration" section. If the policy setting that you want to apply contains
configuration changes in only one section of the GPO, you can configure the GPO
so that the unused sections are not processed. When you do so, you can reduce
the time that it takes Windows to process the GPO.
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Do one of the following steps:
- If you want to edit the security settings of a GPO that
is linked to the domain, right-click the domain, and then click Properties.
- If you want to edit the security settings of a GPO that
is linked to an organizational unit, click to expand the domain, right-click
the organizational unit, and then click Properties.
- Click the Group Policy tab, click the GPO that you want to configure, and then click Properties.
- Do one or both of the following steps:
- Click to select the Disable Computer
Configuration settings check box, and then click Yes when you receive the "Confirm Disable" message.
- Click to select the Disable User Configuration
settings check box, and then click Yes when you receive the "Confirm Disable" message.
- Click OK, click Apply, and then click OK.
- Quit the Active Directory Users and Computers
snap-in.
back to the top
How to Configure Group Policy Settings to Run Asynchronously When you start Windows, policy settings from the Computer
Configuration section of each GPO are processed synchronously in the following
order:
- Local policy settings
- Site policy settings
- Domain policy settings
- Organizational unit policy settings
When the computer configuration policy settings are processed,
you are prompted to log on to the domain. When you log on to the domain, the
policy settings from the User Configuration section of each GPO are processed
synchronously in the following order:
- Local policy settings
- Site policy settings
- Domain policy settings
- Organizational unit policy settings
To decrease the time it takes to log on, configure asynchronous
processing of group policy settings. When you do so, policy settings are
downloaded and processed out of order, and you are able log on to the domain
before all of the policy settings are applied. To configure asynchronous
processing of group policy settings:
- Create a GPO that you can use to enable asynchronous group
policy processing in a domain.
- Configure asynchronous GPO processing.
The following sections describe how to complete this
procedure.
back to the top
How to Create a GPO for Asynchronous Processing To create a GPO that you can use to enable asynchronous group
policy processing in a domain:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Right-click your domain, and then click Properties.
- Click the Group Policy tab, and then click New.
- Type a name for this policy setting (for example,
Enable Asynchronous GPO Processing), and then press
ENTER.
- Click Properties, and then click the Security tab.
- Click to clear the Apply Group Policy check box in the Allow column for the security groups to which you do not want to apply
this policy setting, click to select the Apply Group Policy check box in the Allow column for the groups to which you want to apply this policy
setting, and then click OK.
back to the top
How to Configure Asynchronous GPO Processing- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Right-click your domain, and then click Properties.
- Click the Group Policy tab, click the GPO that you want to configure, and then click Edit.
- Under Computer Configuration, click to expand Administrative Templates, click to expand System, and then click Group Policy.
- In the Policy pane, double-click Apply Group Policy for computers
asynchronously during startup.
- Click Enabled if you want to enable asynchronous processing of computer policy
settings when Windows starts.
- Click Apply, and then click OK.
- Double-click Apply Group Policy for users
asynchronously during logon.
- Click Enabled if you want to enable asynchronous processing of policy settings
when a user logs on to the domain.
NOTE: You may receive undesired results when you enable this setting.
If you apply policy settings that have conflicting user configuration settings,
a user may experience these changes after they log on to the domain. For
example, the logged-on user may experience changes on the desktop or Start menu when each policy setting is processed. - Click Apply, and then click OK.
- Quit the Group Policy snap-in, and then click Close.
back to the top
REFERENCES For additional information about how to optimize Group
Policy, refer to the Group Policy Reference topic that is included with Windows
2000 Resource Kit. If Windows 2000 Resource Kit is installed, click Start, point to Programs, point to Windows 2000 Resource Kit, point to Documentation, and then click Group Policy. For more information about Windows 2000 Resource Kit,
visit the following Microsoft Web site: For
additional information about troubleshooting Group Policies, click the article
numbers below to view the articles in the Microsoft Knowledge Base: 246108 Windows 2000 Client May Not Apply Group Policies
218601 Local Group Policy Objects Cannot Be Set on a Per-User Basis
274269 Disabled Programs Are Displayed in the Software Installation Section of Group Policy Object
250842 Troubleshooting Group Policy Application Problems
263693 Group Policy May Not Be Applied to Users Belonging to Many Groups
227448 Using Secedit.exe to Force Group Policy to Be Applied Again
back to the top
Modification Type: | Major | Last Reviewed: | 9/27/2006 |
---|
Keywords: | kbGPO kbHOWTOmaster KB315418 kbAudITPro |
---|
|