Computer GPO using Security Filtering

  • Thread starter Thread starter Kerry TenHuisen
  • Start date Start date
K

Kerry TenHuisen

I have defined a computer GPO with security filtering and it works fine with
systems (XP and W2K) once they reboot. My issue is this ...
If a W2K computer does not reboot, it does not update it's AD group
membership/security group and therefore GPOs using this filter are not
updated.

Is a computer reboot necessary to update it's acknowledgement of its
membership to an AD Security group (Global)? Are there any tools to force
this without a reboot? Neither SECEDIT, nor WINPOLICIES work. They'll
force the GPO, but not update the Security Group membership (from the
client's perspective).

Any Ideas?

Once the GPO is applied, refreshes and updates seem to work fine.
 
thx, these commands refresh the GPO, but not the associated security group
membership (which is what I need) when I use security filtering on the
computer (not user)

My only solution thus far is to reboot ....

/kerry
 
I'm sorry, I misread your question.

I'd have to assume that the only solution is to reboot... an account checks
its security group memberships at logon. Just like (as far as I know) you
can't update a user's security group memberships while they're logged on
(takes a log off and back on), a computer logs onto the domain when it
starts up. The hilighted difference here between users and computers is, if
the user merely chooses Log Off off instead of Restart or Shutdown, they can
get their account 'revalidated' by logging back on. The machine doesn't log
off 'til it shuts off (either by restart or shutdown).

If I'm wrong, please correct me! But that would explain the behavior you're
experiencing.

Ken
 
That's what I was "afraid of". I'll plan on a reboot of the workstations
for deployment of this GPO (machine_policy), using security filtering.

/kerry
 
For Software deployment to machines, a reboot is required... so you can kill
2 birds with one stone--the update of security group membership and the
software deployment.
 
Back
Top