One of the first things you are taught with Group Policy is LSDOU. Knowing that, you might think that all GPOs linked at a site is processed, then the domain, and then any OU/sub-OU. Any settings left would be the resultant set of policy, right? Not quite! If you have a complicated GPO with different items set (applications, preferences, security,etc), you need to know a second list. Enter the order of operations, also known as the CSE Processing Order.
What is a CSE?
A CSE, or client side extension, is the work horse of Group Policy. You might have heard CSEs before, the most talk about are the Group Policy Preferences (GPP) Client Side Extensions. Nearly every component in the Group Policy Management Console, such as GPP Files or Software Installation, has a corresponding CSE.
You can see CSEs in action anytime the computer starts or a user logs in. To see the exact CSE (instead of the generic Applying Settings…), you will need to enable Verbose Mode. The CSEs, in Windows terms, are actually DLLs. For example, the CSE that handles scripts is named GPScript.DLL. It can be found in C:\Windows\System32.
How can I find the CSE Processing Order?
Open up regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.
You will see a ton of GUIDs that are actually in order by the key name. The very first CSE to process is the GUID {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} or Wireless Group Policy. Looking at that GUID, you can see the name, DLL location, and any changes made to the way this CSE processes (Slow Link, Background Refresh, etc). The next CSE is Group Policy Environmental Variables. It is so early in the list because any variable that you create might need to be used by another CSE (ex: Group Policy Files). By now, you can see that Microsoft has a very practical reason for the CSE order.
A Real Life Example Showing CSE Processing Order
A year or so ago, our department was receiving complaints from users about a particular application not working. This application requires that standard users full control to a few specific folders. We had a GPO that deployed the software. Within that same GPO, we used File System Security CSE to give users the required permissions.
When the software was deployed, it would create the specific folders. A user would later log into the machine and the application would fail with the error “Insufficient Access.” The next day, the software would work though. After lots of troubleshooting (and enabling verbose logging for Security policies), we saw an interesting error stating: “Could Not Apply Security: C:\Program Files\TestApp\ClientData” does not exist.” The next day, the security log would show that permissions were set correctly and the ClientData folder did exist.
What gives? Well, Security – {827D319E-6EAC-11D2-A4EA-00C04F79F83A} – applies before software installation – {c6dc5466-785a-11d2-84d0-00c04fb169f7}. When the machine first applied the policy, it gathered up every GPO it needed, sorted them by CSE and then began processing. It got down to the Security CSE, saw it needed to modify ClientData folder and failed. It failed because the software was not yet installed. A few second later, the software installation CSE was called. It installed the application (and created the ClientData folder). That is why it is important to know the CSE Processing Order.
Can I Modify the CSE Processing Order?
Absolutely! As Darren pointed out on his blog, simply renaming the GUID so that it is sorted differently alphabetically will change the CSE processing order. Just because you can do this, doesn’t mean that you should.
Quoting Darren, “The downside to changing these GUIDs is that they are considered “well-known” GUIDs”
In other words, changing the GUID will likely break things (and move you away from a supported environment). A better solution is to live by the CSE processing rules. In the example above, security processing would fail because the folder didn’t exist. Group Policy Preferences: Folders can create these folders and evaluates before the Security CSE. I modified the GPO to create the needed folders. The security CSE than changed the permissions. Finally, the application installed.
How can I easily see the CSE order?
PowerShell actually makes this very easy! Simply type Get-ChildItem “hklm:\software\microsoft\windows nt\currentversion\winlogon\gpextensions” | Out-GridView
Want to learn more tricks and make work easier? Subscribe by email and get your guide to the Windows 8 Administrative Start Menu!