The availability of network bandwidth can affect how Group Policy settings are applied. By default, some policies are not processed across a slow network connection. If the network link speed between a client and the authenticating domain controller falls below the default slow link threshold of 500 kilobits per second (Kbps), only the administrative template (registry-based) settings and security settings are applied. When the available bandwidth between the client and the domain controller falls below this preset threshold, the client is said to be on a slow link.
If necessary, you can modify the default slow link behavior by using a policy setting that appears under both Computer Configuration and User Configuration in a GPO. You can also adjust the Group Policy extensions that are processed below the slow link threshold. However, depending on your situation, it might be more appropriate to place a local domain controller at a remote location to serve your management requirements.
It is important to have sufficient network bandwidth available between servers and workstations when you deploy roaming user profiles, Offline Files, and Folder Redirection. It is also recommended that the servers to which workstations connect for this data be on a fast network link. Check your network configuration for ways to minimize network routing hops when accessing frequently needed data. Keeping the needed data and the user on the same subnet improves performance.
When you want Group Policy to be applied but the network is congested, when you are connecting over slow links, or when you are using a remote access to connect to your network, you might be apprehensive about which portions of the Group Policy to apply because applying many potentially large policies can hurt performance. The behavior of Group Policy application over these slow links is straightforward.
What does Group Policy consider to be a slow link by default? Microsoft has established that a slow link is less than 500 Kbps. Therefore, if you are connecting over your LAN and network congestion slows down your communication with the domain controllers to below 500 Kbps, Group Policy considers this connection to be slow.
In this example, you might not want to have Group Policy consider your connection to be slow. However, in other situations you will want the connection to be considered slow to allow control over which policies are processed. For example, you might want a connection from a branch office that connects over a slow frame-relay link to be considered slow so that you can control whether Microsoft Office will be installed over this small connection. Other situations in which slow link speeds might be a factor include:
Virtual Private Network (VPN) connections
Dial-up connections
Branch offices
Remote Terminal Services connections
Wireless connections
Let’s look at which settings apply over slow links by default. Even if a link is slow, you still want some settings to apply to ensure a secure and functional environment.
Microsoft has thus configured two sections of Group Policy to apply over any link speed: Security and Administrative Templates. Other sections are enabled to apply over slow links but can be turned off. Table 12-2 shows all the GPO sections and their behaviors during slow link application.
Table 12-2. Default Settings for Processing Group Policy over Slow Links
Setting | Default |
|---|---|
Security Settings | ON (cannot be turned off) |
IP Security | ON |
EFS | ON |
Software Restriction Policies | ON |
Wireless | ON |
Administrative Templates | ON (cannot be turned off) |
Software Installation | OFF |
Scripts | OFF |
Folder Redirection | OFF |
IE Maintenance | ON |
A user has two ways to log on to her computer when is she plans to use RAS to connect to Active Directory during her session. The choice affects how GPOs are applied for remote access users.
The first option is to select the Logon Using Dial-Up Connection check box, which in essence tells the computer to communicate directly to the RAS server to authenticate the user, bypassing local authentication. This option allows the GPOs (Security Settings and Administrative Templates) to be applied at logon. However, computer-based software installation settings are not processed, nor are computer-based startup scripts executed, because computer policy is normally processed before the logon screen appears.
The second option is to log on locally or with cached credentials. With this option, the domain-based GPOs are not applied, except for what is in the cached profile. When the user connects to the RAS server, she is authenticated to the domain and has access to the remote network resources. However, the GPOs are not applied immediately in this situation—only at the GPO refresh interval.
You can configure numerous settings to control how GPO settings react when they are applied over slow links. Not all of the settings are in one location, so it can be confusing to figure out what the settings do, where they are located, and how they are all related.
The following slow link settings are at the core of the slow link detection and Group Policy implementation. You typically begin with these settings as you start to alter the default behavior of how GPOs apply over slow links.
The Group Policy Slow Link Detection setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. The default value for this setting is 500 Kbps, which is also what the computer will use if this policy is disabled.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesSystemGroup PolicyGroup Policy slow link detection
When this setting is enabled, as shown in Figure 12-11, you must enter a decimal number between 0 and 4,294,967,200 in the Connection Speed box. The units for this entry are kilobits per second.
The Slow Network Connection Timeout for User Profiles setting controls how a slow connection is defined for application of roaming user profiles. If the server on which the user’s roaming profile resides takes longer to respond than the thresholds set by this setting, the system considers the connection to the profile to be slow.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesSystemUser ProfilesSlow network connection timeout for user profiles
When this GPO setting is enabled, as shown in Figure 12-12, you must enter a decimal number between 0 and 4,294,967,200 in the Connection Speed box. The units for this entry are kilobits per second. For non-IP computers, the system measures the responsiveness of the remote server’s file system. To set a threshold for this test, in the Time box type a decimal number between 0 and 20,000. The units for this entry are milliseconds.
The Do Not Detect Slow Network Connections setting controls whether user profiles are controlled by the speed of the link. Slow link detection measures the speed of the connection between a user’s computer and the remote server that stores the roaming user profile. When the system detects a slow link, the related settings in this folder tell the system how to respond. When this policy is enabled, the roaming user profile ignores any slow link connection policy settings.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesSystemUser ProfilesDo not detect slow network connections
The Prompt User When Slow Link Is Detected setting allows the user to be notified when his roaming profile is slow to load. This gives the user the ability to decide whether to use the local cached copy of his profile or to wait for the roaming user profile.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesSystemUser ProfilesPrompt user when slow link is detected
When a user uses offline files, it can take a long time to synch the files—with a slow link, it might take hours. When a user is connected over a slow link, you might want to use the Configure Slow Link Speed setting and other settings that control Offline Files behavior.
The Configure Slow Link Speed setting configures the threshold value at which offline files considers a network connection to be slow. If the connection is considered to be slow, the offline files feature adjusts itself to avoid excessive synchronization traffic.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesNetworkOffline FilesConfigure Slow link speed
When this setting is enabled, as shown in Figure 12-13, you must enter a value in the Value box that defines what offline files will consider to be a slow link. The units for this entry are bits per second divided by 100.
Each section of a GPO is controlled by a client-side extension (CSE). Security, administrative templates, and folder redirection are examples of these sections. Most of these CSEs can be controlled when a slow link is detected, to make the connection faster and to reduce the settings that are applied over the slow network connection.
The CSEs that can be controlled when a slow link is detected include:
Internet Explorer Maintenance policy
Software Installation policy
Folder Redirection policy
Scripts policy
Security policy
IP Security policy
EFS recovery policy
Wireless policy
Disk Quota policy
These settings are all in the same location in the GPO and are named accordingly. For example, the policy setting for the Scripts CSE is named Scripts Policy Processing. You can find them at the following path in a GPO:
Computer ConfigurationAdministrative TemplatesSystemGroup Policy
Once you access the policy you want to control, you will find a specific setting that controls slow network connections, as shown in Figure 12-14. The Allow Processing Across A Slow Network Connection setting controls whether the client-side extension is applied when a slow network connection is detected.
The setting specifies whether the client-side extension adheres to slow links. When this setting is enabled for the client-side extension, the policy settings related to this portion of the GPO will apply over a slow link. This is the opposite of the default behavior, which is to not apply policy settings over slow links (except for the few client-side extensions that apply by default over slow links, which were described earlier in this chapter).