Windows Server - Link, Apply and Refresh GPOs

Linking GPOs

Be sure to properly scope your GPOs

To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to add a link to that GPO. A GPO link is the logical connection between the policy and the object. A single GPO can link to multiple objects.

Links are inherited and can be modified

By default, once you link a GPO, the policy is applied to all of the child objects under that parent object.  You can modify this behavior. You can also disable links which removes the configuration setting. And, you can delete links, which does not delete the actual GPO, only the logical connection to the container.

You cannot link GPOs directly to users, groups, or computers. Furthermore, you cannot link GPOs to the system containers in AD DS, including Builtin, Computers, Users, or Managed Service Accounts. The AD DS system containers receive Group Policy settings from GPOs that are linked to the domain level only. Because of this, many organizations opt to store their user and computer objects in OUs, not system containers.

When are GPOs applied?

Applying Computer Configuration Settings

Computer configuration settings are applied at startup and then refreshed every 90 minutes, with a random offset between 0 and 30 minutes. This means that settings are refreshed every 90 to 120 minutes. This is the default interval, but it is configurable. Domain controllers are the exception, as their configuration settings are refreshed every five minutes.

Applying User Configuration Settings

User settings are applied at startup and then refreshed every 90 minutes, with a random offset between 0 and 30 minutes. This means that settings are refreshed every 90 to 120 minutes. By default, in Windows 8.1 and Windows Server 2012 R2, logon scripts run five minutes after sign-in. You can use Group Policy to change or remove this delay by modifying the Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Logon Script Delay setting.

A number of user settings require two sign-ins before the user sees the effect of the GPO. This is because multiple users signing in to the same computer use cached credentials to speed up sign-ins. This means that, although the policy settings are delivered to the computer, the user is signed in already. Therefore, the settings do not take effect until the next time the user signs in. The Folder Redirection setting is an example of this.

Group policy refresh intervals

You can change the refresh interval by configuring a Group Policy setting

• For computer settings, the refresh interval setting, Set Group Policy refresh interval for computers, is found in the Computer Configuration\Policies\Administrative Templates\System\Group Policy node.
• For user settings, the refresh interval, Set Group Policy refresh interval for users, is found at the corresponding settings under User Configuration.
• While you can change the refresh interval for most settings, an exception is the security settings. The security settings section of the Group Policy is refreshed at least every 16 hours, regardless of the interval that you set for the refresh interval.

You also can refresh the Group Policy manually

Most Administrators use Gpupdate /force to refresh and deliver any new Group Policy configurations. However, there is a Windows PowerShellInvoke‑GPUpdate cmdlet, which performs the same function.

A new feature in Windows Server 2012 and in Windows 8 is Remote Policy Refresh. This feature allows administrators to use the GPMC to target an OU and force Group Policy refresh on all of its computers and their currently signed-in users. To force a Group Policy refresh, right‑click any OU, and then click Group Policy Update. The update occurs within 10 minutes.