Category: At least Windows Server 2003 operating systems or Windows XP Professional

This policy setting allows you to control a user’s ability to invoke a computer policy refresh. If you enable this policy setting users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. If you disable or do not configure this policy setting the default behavior applies. By default computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time no matter how this policy setting is configured. Also see the “Set Group Policy refresh interval for computers” policy setting to change the policy refresh interval. Note: If you make changes to this policy setting you must restart your computer for it to take effect.

This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default interactively logged on users can view their own Resultant Set of Policy (RSoP) data. If you enable this policy setting interactive users cannot generate RSoP data. If you disable or do not configure this policy setting interactive users can generate RSoP. Note: This policy setting does not affect administrators. If you enable or disable this policy setting by default administrators can view RSoP data. Note: To view RSoP data on a client computer use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP. mscNote: This policy setting exists as both a User Configuration and Computer Configuration setting. Also see the “Turn off Resultant set of Policy logging” policy setting in Computer Configuration -> Administrative Templates -> System -> GroupPolicy.

Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones for example: “com. “By default a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. If you enable this policy setting computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update except the root zone. If you disable this policy setting or if you do not configure this policy setting computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.

Specifies the security level for dynamic DNS updates. To use this policy setting click Enabled and then select one of the following values:Unsecure followed by secure – computers send secure dynamic updates only when nonsecure dynamic updates are refused. Only unsecure – computers send only nonsecure dynamic updates. Only secure – computers send only secure dynamic updates. If you enable this policy setting computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. If you disable this policy setting or if you do not configure this policy setting computers will use local settings. By default DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused clients try to use secure update.

Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots. The name “example” is a single-label name. This is different from a fully qualified domain name such as “example. microsoft. com. “Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example a DNS query for the single-label name “example” will be modified to “example. microsoft. com” before sending the query to a DNS server if this policy setting is enabled with a suffix of “microsoft. com. “To use this policy setting click Enabled and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string such as “microsoft. comserverua. microsoft. comoffice. microsoft. com” to specify multiple suffixes. If you enable this policy setting one DNS suffix is attached at a time for each query. If a query is unsuccessful a new DNS suffix is added in place of the failed suffix and this new query is submitted. The values are used in the order they appear in the string starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. If you disable this policy setting or if you do not configure this policy setting the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.

Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL click Enabled and then enter a value in seconds (for example 900 is 15 minutes). If you enable this policy setting the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. If you disable this policy setting or if you do not configure this policy setting computers will use the TTL settings specified in DNS. By default the TTL is 1200 seconds (20 minutes).

Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. Warning: If record scavenging is enabled on the zone the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. To specify the registration refresh interval click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example 1800 seconds is 30 minutes. If you enable this policy setting registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. If you disable this policy setting or if you do not configure this policy setting computers will use the local or DHCP supplied setting. By default client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.

Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this policy setting or you do not configure this policy setting computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection the connection-specific configuration must allow dynamic DNS registration and this policy setting must not be disabled. If you disable this policy setting computers may not use dynamic DNS registration for any of their network connections regardless of the configuration for individual network connections.