Q: Is there any way to influence the interval at which Windows security policies are applied?

Windows security policy settings refresh every 16 hours by default but you can change that interval with a registry hack.

Jan De Clercq

April 11, 2012

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A:Windows security policy settings are regularly re-applied to a Windows machine -- even if the Group Policy Object (GPO) settings haven't been changed.Indeed, security policy settings are an exception to the "Don't process GPO settings if the GPO hasn't changed" rule. By default, security policysettings defined in the Computer ConfigurationWindows SettingsSecurity Settings GPO container are processed every 16 hours, even if the GPO hasn'tchanged. This repetitive processing ensures that if a user makes a change that's against the security policy settings, this change is automaticallyundone.

You can modify the background refresh interval by editing the following registry value: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonGPExtensions{827D319E-6EAC-11D2-A4EA-00C04F79F83A}MaxNoGPOListChangesInterval.

The MaxNoGPOListChangesInterval registry value is stored as a hexadecimal number (i.e., number starting with 0x) that represents the number of minutesbetween security policy refreshes. By default, it's value is set to 0x3c0, which is 960 minutes, or 16 hours. By the way, a good tool that's availableon every Windows platform to help you convert decimal to hexadecimal numbers is the Windows Calculator. You need to switch the calculator from Standardto Programmer view, which you can do from the View menu. In Programmer view, you can toggle back and forth between hexadecimal and decimal values byusing the Hex and Dec buttons on the left.

When you set MaxNoGPOListChangesInterval to, for example, 0x1C20, Windows waits 7,200 minutes, or 5 days, to refresh the security policy settings whenthere have been no other GPO changes. If a Windows computer is switched off for longer than the prescribed interval, the security GPO is applied thenext time that the computer is restarted.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like