SUMMARY

This article describes how to optimize and configure Group Policy to increase logon performance.

When you start a Windows 2000-based computer that is a member of a domain, group policy settings from the "Computer Settings" section of linked Group Policy objects (GPOs) are processed and applied to the computer. Additionally, when you log on to the domain, all group policy settings from the "User Configuration" sections of each linked GPO are processed and applied. Because Windows takes time to apply each policy setting, policy settings may slow the logon process, which can result in a delay from the time that you start the computer to the time that you are able to use the computer. This article describes methods that you can use to minimize this delay.

back to the top

How to Reduce the Number of Processed GPOs

Windows 2000 startup and logon times are directly proportional to the number of GPOs that must be processed. GPOs that are linked to either a site, a domain, or an organizational unit are processed by all computers and users in either those sites, domains, or organizational units. To reduce processing time for these group policy settings, use any of the following methods:

• Use organizational units.
• Combine group policy settings.
• Filter Group Policy based on security group membership.
• Disable portions of group policy settings.

back to the top

How to Use Organizational Units

Use organizational units to distribute group policy settings in a more granular form. When you link GPOs to organizational units, you can minimize the processing of unnecessary GPOs. To create a GPO for an organizational unit, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Click to expand the domain, right-click the organizational unit that you want to configure, and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Type a descriptive name for the GPO in the New Group Policy Object box, and then press ENTER.
5. Click Properties, and then click the Security tab.
6. Click to clear the Apply Group Policy check box in the Allow column for the security groups to which you do not want to apply this policy setting, click to select the Apply Group Policy check box in the Allow column for the groups to which you want to apply this policy setting, and then click OK.
7. Click Edit, and then configure the policy setting that you want to use.
8. When you are finished configuring the policy setting, quit the Group Policy snap-in, and then click Close.
9. Quit the Active Directory Users and Computers snap-in.

back to the top

How to Combine Group Policy Settings

It takes longer for Windows to process many small GPOs than it does to process a few large GPOs. To reduce the time that it takes to log on to the domain, combine the settings of several GPOs to create a single large policy setting.

back to the top

How to Filter Group Policy Based on Security Group Membership

Windows processes all linked group policy settings to determine the effective policy setting to apply either to the computer or to the user account that is logging on to the domain. If a GPO is not relevant to a particular user or group, you can edit security permissions so that GPOs that you select are not processed:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Do one of the following steps:
   • If you want to edit the security settings of a GPO that is linked to the domain, right-click the domain, and then click Properties.
   • If you want to edit the security settings of a GPO that is linked to an organizational unit, click to expand the domain, right-click the organizational unit, and then click Properties.
3. Click the Group Policy tab, click the GPO that you want configure, and then click Properties.
4. Click the Security tab.
5. Click to clear the Apply Group Policy check box in the Allow column for the security groups to which you do not want to apply the policy setting, and then click to select the Apply Group Policy check box in the Allow column for the groups to which you want to apply this policy setting.
   
   NOTE: To restrict the application of a GPO based on security group membership, you must remove both the Authenticated Users group and the Everyone group from the Name list if they are present. If loopback processing has been enabled, click the following article number to view the article in the Microsoft Knowledge Base and read about additional instructions. Find the sentence that begins "The machine account of the terminal server."

   260370 How to Apply Group Policy Objects to Terminal Services Servers

6. Click OK, and then click OK.
7. Quit the Active Directory Users and Computers snap-in.

back to the top

How to Disable the Unused Section of Group Policy Settings

GPOs contain a "Computer Configuration" section and a "User Configuration" section. If the policy setting that you want to apply contains configuration changes in only one section of the GPO, you can configure the GPO so that the unused sections are not processed. When you do so, you can reduce the time that it takes Windows to process the GPO.

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Do one of the following steps:
   • If you want to edit the security settings of a GPO that is linked to the domain, right-click the domain, and then click Properties.
   • If you want to edit the security settings of a GPO that is linked to an organizational unit, click to expand the domain, right-click the organizational unit, and then click Properties.
3. Click the Group Policy tab, click the GPO that you want to configure, and then click Properties.
4. Do one or both of the following steps:
   • Click to select the Disable Computer Configuration settings check box, and then click Yes when you receive the "Confirm Disable" message.
   • Click to select the Disable User Configuration settings check box, and then click Yes when you receive the "Confirm Disable" message.
5. Click OK, click Apply, and then click OK.
6. Quit the Active Directory Users and Computers snap-in.

back to the top

How to Configure Group Policy Settings to Run Asynchronously

When you start Windows, policy settings from the Computer Configuration section of each GPO are processed synchronously in the following order:

1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. Organizational unit policy settings

When the computer configuration policy settings are processed, you are prompted to log on to the domain. When you log on to the domain, the policy settings from the User Configuration section of each GPO are processed synchronously in the following order:

1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. Organizational unit policy settings

To decrease the time it takes to log on, configure asynchronous processing of group policy settings. When you do so, policy settings are downloaded and processed out of order, and you are able log on to the domain before all of the policy settings are applied. To configure asynchronous processing of group policy settings:

1. Create a GPO that you can use to enable asynchronous group policy processing in a domain.
2. Configure asynchronous GPO processing.

The following sections describe how to complete this procedure.

back to the top

How to Create a GPO for Asynchronous Processing

To create a GPO that you can use to enable asynchronous group policy processing in a domain:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click your domain, and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Type a name for this policy setting (for example, Enable Asynchronous GPO Processing), and then press ENTER.
5. Click Properties, and then click the Security tab.
6. Click to clear the Apply Group Policy check box in the Allow column for the security groups to which you do not want to apply this policy setting, click to select the Apply Group Policy check box in the Allow column for the groups to which you want to apply this policy setting, and then click OK.

back to the top

How to Configure Asynchronous GPO Processing

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the GPO that you want to configure, and then click Edit.
4. Under Computer Configuration, click to expand Administrative Templates, click to expand System, and then click Group Policy.
5. In the Policy pane, double-click Apply Group Policy for computers asynchronously during startup.
6. Click Enabled if you want to enable asynchronous processing of computer policy settings when Windows starts.
7. Click Apply, and then click OK.
8. Double-click Apply Group Policy for users asynchronously during logon.
9. Click Enabled if you want to enable asynchronous processing of policy settings when a user logs on to the domain.
   

NOTE: You may receive undesired results when you enable this setting. If you apply policy settings that have conflicting user configuration settings, a user may experience these changes after they log on to the domain. For example, the logged-on user may experience changes on the desktop or Start menu when each policy setting is processed.

1. Click Apply, and then click OK.
2. Quit the Group Policy snap-in, and then click Close.

back to the top