Tag: Computer Configuration
Set SYSVOL share compatibility
This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. When this setting is disabled or not configured the SYSVOL share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. By default the SYSVOL share will grant shared read access to files on the share when exclusive access is requested. Note: The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files and in general the availability of the SYSVOL share on the domain will be decreased. If you enable this policy setting domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
Specify site name
This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the site name for this setting click Enabled and then enter the site name. When the site to which a computer belongs is not specified the computer automatically discovers its site from Active Directory. If you do not configure this policy setting it is not applied to any computers and computers use their local configuration.
Set scavenge interval
This policy setting determines the interval at which Netlogon performs the following scavenging operations:- Checks if a password on a secure channel needs to be modified and modifies it if necessary. – On the domain controllers (DC) discovers a DC that has not been discovered. – On the PDC attempts to add the
Specify positive periodic DC Cache refresh for non-background callers
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200) while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
Set Netlogon share compatibility
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. If you disable or do not configure this policy setting the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. By default the Netlogon share will grant shared read access to files on the share when exclusive access is requested. Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files and in general the availability of the Netlogon share on the domain will be decreased. If you enable this policy setting domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
Specify negative DC Discovery cache setting
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting DC Discovery immediately fails without attempting to find the DC. The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. Warning: If the value for this setting is too large a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small clients will attempt to find DCs even when none are available.
Specify maximum log file size
This policy setting specifies the maximum size in bytes of the log file netlogon. log in the directory %windir% -> debug when logging is enabled. By default the maximum size of the log file is 20MB. If you enable this policy setting the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon. bak and netlogon. log is truncated. A reasonable value based on available storage should be specified. If you disable or do not configure this policy setting the default behavior occurs as indicated above.
Specify expected dial-up delay on logon
This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. To specify the expected dial-up delay at logon click Enabled and then enter the desired value in seconds (for example the value “60” is 1 minute). If you do not confihgure this policy setting it is not applied to any computers and computers use their local configuration.
Specify log file debug output level
This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon. log in the directory %windir% -> debug. By default no debug information is logged. If you enable this policy setting and specify a non-zero value debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting. If you specify zero for this policy setting the default behavior occurs as described above. If you disable this policy setting or do not configure it the default behavior occurs as described above.
Use positive periodic DC cache refresh for background callers
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200) while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).