Determining if group policy needs to run synchronously

Solution 1:

My take is "Group policy needs to be run synchronously".

Seriously.

The default in Windows 2000 was to run all Group Policy (computer and user) synchronously. Microsoft had materials in their "Official Curriculum" back then that even describe asynchronous policy application as potentially unreliable.

You can change this default behavior by using a policy setting for each so that processing is asynchronous. This is not recommended unless there are compelling performance reasons. To provide the most reliable operation, leave the processing as synchronous.

When asynchronous computer policy application became the default in Windows XP I found that it was unreliable and non-deterministic. From that point on I've been forcing policy application to be synchronous and I've been happy with the results.

I'd like logons to be faster, but at the same time I need things to be reliable. Reliability trumps speed to me.

Solution 2:

Found a solution to this issue, without needing to go with a full blown synchronous run. Gotta love procmon.

The registry keys HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{guid}\ForceRefreshFG are set to 1 whenever a GPP item needs a synchronous run for the currently logged on user. With a little bit of scripting wizardry we at least have another option.