How to delay security policies from being applied

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q277543
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SUMMARY
This article describes how to delay the security policy from being applied when no changes have been made in the Group Policy object (GPO).
MORE INFORMATION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
In Windows 2000, Group Policy updates are dynamic and occur at specific intervals. If there have been no changes to Group Policy, the client computer still refreshes the security policy settings at regular intervals for the Group Policy object (GPO).

If no changes are discovered, GPOs are not processed, but security policies are. For security policies, there is a value that sets a maximum limit of how long a client can function without reapplying non-changed GPOs. By default, this setting is every 16 hours plus the randomized offset of up to 30 minutes. Even when GPOs that contain security policy settings do not change, the policy is reapplied every 16 hours and the following event is logged in the Application event log:
Event Type: Information
Event Source: SceCli
Event Category: None
Event ID: 1704
Date: date
Time: time
User: N/A
Computer: computer name
Description: Security policy in the Group policy objects are applied successfully.
To delay the security policy from being applied when no changes have been made in the GPO, you can configure the MaxNoGPOListChangesInterval registry value. This value specifies the maximum number of minutes the extension is to be skipped because the policy has not changed. This value is found in the follow registry setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}

Value: MaxNoGPOListChangesInterval
Data: Minutes of delay, entered in hexadecimal
By default, this value is set to 0x3c0, (960 minutes or 16 hours). When you set this value to 0x2760, the client waits 7 days to refresh the policy when there have been no changes to the GPO.

Note If a client computer is switched off for longer than the described interval, the security GPO is applied the next time that the computer is restarted. Depending on the GPO processing, as shown in the ACL settings on Files and Registry, the user may experience an unexpected delay during logon.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
203607 How to modify the default group policy refresh interval
227302 Using SECEDIT to force a group policy refresh immediately
Properties

Article ID: 277543 - Last Review: 02/28/2007 21:56:04 - Revision: 4.3

Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

  • kbenv kbhowto KB277543
Feedback