Group Policy and Machine Groups

[Duane Haas]

Quick question, I have a GPO policy created that I have applied to a
security group. The security group consists of serveral machines,
whats the deal behind why I can get the policy to update unless I
reboot the machine? The policy is a machine policy, and basically
just applies a security template. But no matter what I do as far as
running secedit /refreshpolicy machine_policy /enforce , it still wont
pick up on the fact that the machine is now part of this security
group I created. Once I reboot and re-run it, it shows thats its part
of the group.

 

[Glenn L]

Joining a computer to a security group is much the same as joining a user to
a security group.
If they are both logged on prior to adding them to the group, their access
tokens will not contain the SID for the new group.
You must re-authenticate with AD to get an updated token that has the new
group SID.
Simply put, the workstation does not know it is a member of the new group
until you reboot it.

Hope that helps.

 

[Glenn L]

There are clever tricks like deleting all machine account kerberos tickets
using klist. But it is probably more trouble to set that up than it is to
initiate a reboot.

 

[Ken B]

Just to follow up, the group policies will only apply to the objects
contained in an OU. If you create a security group under an empty OU and
link a policy to it, the policy will NOT apply. Security groups can only be
used for filtering the policy via permissions. If you want the policy to
affect computers, you need to move the actual computer objects into that OU.

HTH

Ken