Category: At least Windows Server 2003 operating systems or Windows XP Professional

This policy setting determines whether Group Policy processing is synchronous (that is whether computers wait for the network to be fully initialized during computer startup and user logon). By default on client computers Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials which results in shorter logon times. Group Policy is applied in the background after the network becomes available. Note that because this is a background refresh extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely these extensions require that no users be logged on. Therefore they must be processed in the foreground before users are actively using the computer. In addition changes that are made to the user object such as adding a roaming profile path home directory or user object logon script may take up to two logons to be detected. If a user with a roaming profile home directory or user object logon script logs on to a computer computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before computers always wait for the network to be initialized. If you enable this policy setting computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground synchronously. On servers running Windows Server 2008 or later this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). If the server is configured as follows this policy setting takes effect during Group Policy processing at user logon:• The server is configured as a terminal server (that is the Terminal Server role service is installed and configured on the server); and• The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration -> Policies -> Administrative templates -> System -> Group Policy -> . If this configuration is not implemented on the server this policy setting is ignored. In this case Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier the computer typically does not wait for the network to be fully initialized. In this case users are logged on with cached credentials. Group Policy is applied asynchronously in the background. Notes: -If you want to guarantee the application of Folder Redirection Software Installation or roaming user profile settings in just one logon enable this policy setting to ensure that Windows waits for the network to be available before applying policy. -If Folder Redirection policy will apply during the next logon security policies will be applied asynchronously during the next update cycle if network connectivity is available.

This policy setting forces the user to log on to the computer using the classic logon screen. By default a workgroup is set to use the simple logon screen. This setting only works when the computer is not on a domain. If you enable this policy setting the classic log on screen is presented to the user at logon rather than the simple logon screen. If you disable or do not configure this policy setting computers in a workgroup will present the simple logon screen to the user at logon.

This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy setting the Kerberos client or server uses the configured value or the locally allowed maximum value whichever is smaller. If you disable or do not configure this policy setting the Kerberos client or server uses the locally configured value or the default value. Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control -> Lsa -> Kerberos -> Parameters which was added in Windows XP and Windows Server 2003 with a default value of 12000 bytes. Beginning with Windows 8 the default is 48000 bytes. Due to HTTP’s base64 encoding of authentication context tokens it is not advised to set this value more than 48000 bytes.

This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. If you enable this policy setting users are not given the option to report errors. If you disable or do not configure this policy setting the errors may be reported to Microsoft via the Internet or to a corporate file share. This policy setting overrides any user setting made from the Control Panel for error reporting. Also see the “Configure Error Reporting” “Display Error Notification” and “Disable Windows Error Reporting” policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting.

This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting you can prevent specified programs from being run from Help. When you enable this policy setting enter the file names names of the programs you want to restrict separated by commas. If you disable or do not configure this policy setting users can run all applications from online Help. Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration -> Security Settings. Note: This policy setting is available under Computer Configuration and User Configuration. If both are settings are used any programs listed in either of these locations cannot launched from Help

This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied where they came from and the client-side extension settings that were included. If you enable this setting RSoP logging is turned off. If you disable or do not configure this setting RSoP logging is turned on. By default RSoP logging is always on. Note: To view the RSoP information logged on a client computer you can use the RSoP snap-in in the Microsoft Management Console (MMC).