As an admin, you’ll want to centrally manage the devices of your organizations. This reduces urgent helpdesk incidents and gains trust from your colleagues. On the other hand, much of the security you put in, slows down their devices. Anti-malware has been accepted as a necessary evil by most of your colleagues, but long logon times, usually, are not (unless there’s a really good coffee machine in the office).
Windows 8.1 introduces a new feature, named Group Policy Caching. This feature keeps a cached copy of the policies and preferences in the following folder on the local device:
The device will update this cache with changes it sees through Group Policy background refresh, while the device is running. It applies them, when there are no change to the policies or preferences, there is a connection to a Domain Controller, and:
- During a Group Policy background refresh changes were detected in policies or preferences;
- The PC starts;
- A user logs on.
Since the device does not need to collect the policies and preferences from the Domain Controller, this speeds up the computer startup and user logon experiences, especially in environments with reduced bandwidth to Domain Controllers.
However, Group Policy Caching does not apply, when:
- The Always wait for the network at computer startup and user logon group policy setting is enabled
- Preferences and/or policies have been changed;
- The device or the user account has been relocated in Active Directory (and thus might have a different set of preferences and policies applied to them);
- There’s no connection to a Domain Controller;
- gpupdate.exe is run.
The challenge, however, is that when a policy or preference was changed since the last Group Policy background refresh, these changes will not apply.
Managing Group Policy caching
The Group Policy Caching feature is enabled by default in Windows 8.1. However, you can disable the Group Policy Caching feature through Group Policy.
Open the Group Policy Editor (by typing gpedit.msc in the Start Screen) and in the left pane, navigate to Computer Configuration, Administrative Templates, System and Group Policy. Now, double-click the Configure Group Policy Caching setting in the main pane.
Group Policy Caching is disabled by default on Windows Server 2012 R2-based member servers. You can enable it through the Enable Group Policy Caching for Servers group policy setting, located just below the Configure Group Policy Caching group policy setting.
By default, the Configure Group Policy Caching group policy setting is Not Configured. The feature will be enabled and using the default values for slow link detection (500ms) and time-out for communicating with a Domain Controller (5000ms) to determine whether it is on the network, when:
- The Turn off background refresh of Group Policy policy setting is Not Configured or Disabled.
- The Configure Group Policy slow link detection policy setting is Not Configured, or, when Enabled, contains a value for Connection speed (Kbps) that is not outlandish (500 is the default value).
- The Set Group Policy refresh interval for computers is Not Configured or, when Enabled, contains values for Minutes that are not outlandish (90 and 30 at the default values).
These Group Policy settings can all be found in the same Group Policy node of the Computer Configuration part of the Group Policy Object.
The values for Slow link value: and Timeout value: determine the following behavior of the Group Policy Engine:
- The value for Slow link value: determines the period of time, after which the Group Policy Engine will selectively process group policy settings to preserve bandwidth;the security policies will be cached at a later point in time, and Folder Redirection and Software Installation polices are not applied. The default value is 500ms.
You can change this behavior through the Change Group Policy processing to run asynchronously when a slow network connection is detected. group policy setting.
- The value for Timeout value: determines whether Group Policy gets applied or not. After the timeout has expired (default after 5000ms) and a Domain Controller could not be contacted, Group Policy will not be processed, although cached.
When you configure the Configure Group Policy Caching group policy setting as Disabled, you turn off the Group Policy Caching feature.
Monitoring Group Policy Caching
When you want to know, whether Group Policy Caching is actually doing anything in your networking infrastructure, look for events with the following EventIDs in the Operational Group Policy event log ():
This log can be found in Eventvwr.exe under Applications and
Service Logs, Microsoft, Windows, Group Policy, Operational
- EventID 5216
These informational events will show you that the computer has succesfully saved a cached copy of the policies and preferences to its local datastore
- EventID 5217
These informational events will make your colleagues happy, because their logon experienced has been successfully improved by the Group Policy Cache.
Sometomes, caching isn’t useful .
Understanding Group Policy Caching in Windows 8.1
Group Policy caching in Windows 8.1
Speed Up Windows 8.1 Logon With Group Policy Caching
Group Policy Caching in Windows 8.1
What’s New in Group Policy in Windows Server 2012 R2