Re: Restricted Group Policy not working in timely manner

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 12/09/04 

Date: Thu, 9 Dec 2004 13:18:38 -0800

By default, a GPO will not be processed if it has not changed since the last
processing cycle. Security policy (including restricted groups) is an
exception to this rule and will process every 16 hours regardless of whether
the GPO has changed. You can change this value to a smaller number by
following the directions here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;277543

Alternatively, you can set the Security CSE to process during every refresh
cycle (Foreground or Background) by modifying this policy: Computer
Configuration|Administrative Templates|System|Group Policy|Security Policy
Processing|Process even if the GP objects have not changed. However keep in
mind that if you have any "expensive" settings in your sec. policy, like
file and registry permissions, this can really slow down your workstations
if its refreshing during every cycle (esp. on a DC at 5 min. intervals). 

-- 
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
"boomboom21" <chris.boom@qci.com> wrote in message 
news:1102623354.763153.243720@z14g2000cwz.googlegroups.com...
> We have defined "Domain Admins" as a restricted group in the Default
> Domain Policy GPO.  The problem is that if we add someone to the
> restricted group it can take well over a couple hours for the policy to
> remove that user from the group.  A normal GPUPDATE will not do
> anything, but a "GPUPDATE /FORCE" ran on a DC does work to force the
> policy to remove the user from the restricted group.  The only
> difference between GPUPDATE and GPUPDATE /FORCE (from what I can tell)
> is that GPUPDATE only refreshes policies that have changed....and
> GPUPDATE /FORCE refreshes all policies regardless of change???
>
> GPO Refresh Frequency has not been modified from default settings.  If
> I'm correct, this policy should be refreshed on DC's every 5 minutes by
> default.  I am not seeing any GPO errors in the Event Log.  Any ideas
> what could be causing this delay?
>
> Thanks
>

Relevant Pages

  • Re: Group Policy not working
    ... I've had this happen before in our environment, you make changes to the GPO ... and run gpupdate /force and nothing happens. ... install is add the domain user to the administrators group on the local ... sofware will not install if the policy does not apply regardless if it ...
    (microsoft.public.windows.group_policy)
  • Re: Adding domain users as local XP administrators...
    ... create the new GPO and set my policy? ... >> create a restricted group policy in the domain policy that will ... >> domain has full rights to the local machine. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Changing from default Power User settings via GPO
    ... If you configure it as a restricted group, ... set to what you have defined in the policy, at every computer policy ... So by setting the Power Users group as a ...
    (microsoft.public.windows.server.active_directory)
  • Re: Restricted Group Policy not working in timely manner
    ... > the GPO has changed. ... > cycle by modifying this policy: ... >> We have defined "Domain Admins" as a restricted group in the Default ... >> GPO Refresh Frequency has not been modified from default settings. ...
    (microsoft.public.windows.group_policy)
  • Restricted Group Policy not working in timely manner
    ... We have defined "Domain Admins" as a restricted group in the Default ... Domain Policy GPO. ... A normal GPUPDATE will not do ... GPO Refresh Frequency has not been modified from default settings. ...
    (microsoft.public.windows.group_policy)