1/6/2006 -- I think everyone agrees that Group Policy is the preferred and standard method to configure standardized desktops. Group Policy is also the only way to establish baseline security for all computers in the enterprise. With standards and security riding along the Group Policy technology wave, it is important to ensure that the settings are successfully affecting the target computers. In some cases, Group Policy can be controlled by the local user, which can cause a security issue or cause other features to fail. Here, we will discuss how you can force policy settings to apply to negate this situation.

Typical Group Policy Application
Group Policy settings typically are Registry changes that are configured and distributed from domain controllers. Once the target object (computer or user) receives the setting, it affects the appropriate configuration on the computer. When a Group Policy Object is altered, there is a background refresh mechanism that automatically updates the new policy settings to affect the target object. This process works perfectly until the user on the target computer is given administrative privileges, giving them access to update the Registry manually.

Manual Hacks to the Registry
When the local user modifies the local Registry to overwrite a setting that a Group Policy Object established, they will be successful if they are giving administrative privileges to the computer. Ideally, you should not give any user administrative privileges to their computer. However, if you are forced to give this access, you might want to take additional precautions to enforce policy application.

The reason that a manual Registry change is so detrimental is due to the processing that Group Policy adheres to. When Group Policy performs the automatic background refresh, it only checks the version of the Group Policy Object, not the settings that exist within the Group Policy Object. Therefore, any manual change will not be detected and will not be overwritten at background refresh of the Group Policy Object.

Ensuring Group Policy Settings Apply
To ensure that your standardized settings and security settings apply to overwrite any manual changes made on target computers, you can configure additional policy settings. It might sound odd to configure policy settings to affect policy processing, but again, it is just a Registry toggle.

Before you configure the enforcement of policy settings, you need to pick and choose which settings you want to enforce. Good practice is to make security settings and Registry settings to be enforced. Additional policy areas can also be triggered, but this will cause more processing cycles at each background refresh.

The setting you want to configure is under Computer Configuration, Administrative Templates, System, Group Policy.

Once at this node in the Group Policy Object, you will see numerous policies with the naming format “* policy processing.” After opening up the policy, you will be able to enable the policy and then select the “Process even if the Group Policy objects have not changed” check box. This will force the application of policy settings for the desired policy settings to overwrite manual changes.

Start Applying
Ensuring that Group Policy settings have and will continue to apply is important for your organization. Without this assurance, you are not fully aware of how the computers are configured, potentially leaving your network in an insecure configuration. With forcing the application of key policy settings, you are protecting each computer, as well as the network as a whole.

Questions? Comments? Post your thoughts below!