Re: Group Policy and Machine Groups

From: Glenn L (the.only_at_gmail.com)
Date: 10/19/04

• Next message: Gary Smith: "Re: Start/Run history"
• Previous message: Matt Anderson: "Re: Audit Logs"
• In reply to: Glenn L: "Re: Group Policy and Machine Groups"
• Next in thread: Ken B: "Re: Group Policy and Machine Groups"
• Reply: Ken B: "Re: Group Policy and Machine Groups"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 18 Oct 2004 20:01:57 -0700

There are clever tricks like deleting all machine account kerberos tickets
using klist. But it is probably more trouble to set that up than it is to
initiate a reboot.

-- 
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security
"Glenn L" <the.only@gmail.com> wrote in message
news:erImHBYtEHA.1272@TK2MSFTNGP12.phx.gbl...
> Joining a computer to a security group is much the same as joining a user
to
> a security group.
> If they are both logged on prior to adding them to the group, their access
> tokens will not contain the SID for the new group.
> You must re-authenticate with AD to get an updated token that has the new
> group SID.
> Simply put, the workstation does not know it is a member of the new group
> until you reboot it.
>
> Hope that helps.
> -- 
> Glenn L
> CCNA, MCSE 2000, MCSE 2003 + Security
>
>
> "Duane Haas" <dhaas@suduhaas.com> wrote in message
> news:c5bbaec2.0410181758.400ff4dc@posting.google.com...
> > Quick question, I have a GPO policy created that I have applied to a
> > security group.  The security group consists of serveral machines,
> > whats the deal behind why I can get the policy to update unless I
> > reboot the machine?  The policy is a machine policy, and basically
> > just applies a security template.  But no matter what I do as far as
> > running secedit /refreshpolicy machine_policy /enforce , it still wont
> > pick up on the fact that the machine is now part of this security
> > group I created.  Once I reboot and re-run it, it shows thats its part
> > of the group.
>
>

---

• Next message: Gary Smith: "Re: Start/Run history"
• Previous message: Matt Anderson: "Re: Audit Logs"
• In reply to: Glenn L: "Re: Group Policy and Machine Groups"
• Next in thread: Ken B: "Re: Group Policy and Machine Groups"
• Reply: Ken B: "Re: Group Policy and Machine Groups"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: GPO testing ... Here are the steps I used to create and link the GPO: ... Placed two users in the security group Test Group. ... Right clicked on the new policy called "test" and selected edit. ... Test Group on my XP workstation. ... (microsoft.public.windows.group_policy) Re: Creating Additional SMTP emails in Exchange ... Instead I added the users to the Security Group Domain B ... first and then apply the policy. ... Primary SMTP as well as the default domain. ... Les Connor [SBS Community Member - SBS MVP] ... (microsoft.public.windows.server.sbs) Re: Publishing/Assigning Applications ... I think where you erred was in creating the software policy right below the ... 'package' when the computer leaves the scope of influence, ... Apply a software package for say Office 2003 to it. ... add Accounting_Computers (or whatever you named the security group) ... (microsoft.public.win2000.group_policy) Re: Group Policy Precedence ... Create new GPO with the lockdown settings and apply it to all Domain ... Create a new security group, but don't add any users to it. ... Read' and 'Deny Apply Group Policy' permission. ... (microsoft.public.windows.group_policy) Re: Publishing/Assigning Applications ... > default domain policy. ... you are not creating the GPO there AT the OU. ... Authenticated Users security group is given both the READ and APPLY GROUP ... (microsoft.public.win2000.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)