GPO's are applied like this: Machine boots
* local registry made available to the system fairly early on (parts are available (HKLM\System) or created (HKLM\Hardware) in the DOS-mode portion of the boot process) All the devices and services start, GUI fires up, and soon (on Win2k) you'll see a dialog saying "Applying computer settings". WinXP* doesn't display the dialog - it skips straight to allowing the user to log on. By the time the user has logged on, the following four steps will have been applied: * all local computer and user GPOs applied * Site computer GPOs applied * Domain computer GPOs applied * OU computer GPOs applied User can log in (ie GINA logon dialog or FUS is available) * Site user GPOs applied * Domain user GPOs applied * OU user GPOs applied If a registry setting is overwritten by multiple writers, the last setting applied wins. For example, you apply a group policy object in the default domain policy, and have a further GPO down in a "Training OU" which sets the "no shared" registry key, the no shared setting wins... unless the "No Override" bit is set on the Default Domain Policy, even if the "Block inheritance" flag is set on the Training OU's GPO. If a machine is moved from one OU to another, the GPO for the new OU applies. If a user belongs to a different OU, then that OU's user GPO's are applied before the user can use Explorer. GPO is checked (and refreshed if necessary) about once every 90 minutes +/- 30 minutes random interval. The main thing to remember is that the underlying registry settings stored locally are *not* changed by GPO. The computer is affected by GPO as if it were the resultant set of policy is a union of registry and GPO. If a machine is removed from a domain or has the local GPO removed, the original underlying registry settings remain. Andrew * On WinXP, the user is allowed to log on as quickly as possible - XP boots in about 10 seconds on my Dell PIII/800 and I can generally use the WinXP desktop in about 15 seconds after the machine has been turned on. GPO are applied asynchronously (and as necessary). It usually happens fairly quickly, and as XP has a completely new registry database engine, which is a great deal faster and robust than Win2k's (or 98's or ME's), the GPO seems to have been applied by the user, even though it is happening in the background. Very snazzy and fast. http://www.microsoft.com/hwdev/driver/XP_kernel.asp#Registry -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Angelopoulos Sent: Saturday, 9 March 2002 2:44 AM To: [EMAIL PROTECTED] Subject: Re: Complete NT4-level WinVNC policy template now available Daniel's is structurally identical (albeit longer - much longer). I don't recall all the ins and outs of how the ADM files work across platforms, but I had been under the impression that the key difference was the method of deployment - the GPO settings are "remembered" as changes, so it is possible to back them out. --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
