Re: Restricted Group Policy not working in timely manner

From: boomboom21 (chris.boom_at_qci.com)
Date: 12/09/04 

Date: 9 Dec 2004 14:05:01 -0800

Thanks for the info!

Darren Mar-Elia wrote:
> By default, a GPO will not be processed if it has not changed since
the last
> processing cycle. Security policy (including restricted groups) is an

> exception to this rule and will process every 16 hours regardless of
whether
> the GPO has changed. You can change this value to a smaller number by

> following the directions here:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;277543
>
> Alternatively, you can set the Security CSE to process during every
refresh
> cycle (Foreground or Background) by modifying this policy: Computer
> Configuration|Administrative Templates|System|Group Policy|Security
Policy
> Processing|Process even if the GP objects have not changed. However
keep in
> mind that if you have any "expensive" settings in your sec. policy,
like
> file and registry permissions, this can really slow down your
workstations
> if its refreshing during every cycle (esp. on a DC at 5 min.
intervals).
>
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
> Check out http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
> FAQs, Whitepapers and Utilities for all things Group Policy-related
>
>
>
> "boomboom21" <chris.boom@qci.com> wrote in message
> news:1102623354.763153.243720@z14g2000cwz.googlegroups.com...
> > We have defined "Domain Admins" as a restricted group in the
Default
> > Domain Policy GPO. The problem is that if we add someone to the
> > restricted group it can take well over a couple hours for the
policy to
> > remove that user from the group. A normal GPUPDATE will not do
> > anything, but a "GPUPDATE /FORCE" ran on a DC does work to force
the
> > policy to remove the user from the restricted group. The only
> > difference between GPUPDATE and GPUPDATE /FORCE (from what I can
tell)
> > is that GPUPDATE only refreshes policies that have changed....and
> > GPUPDATE /FORCE refreshes all policies regardless of change???
> >
> > GPO Refresh Frequency has not been modified from default settings.
If
> > I'm correct, this policy should be refreshed on DC's every 5
minutes by
> > default. I am not seeing any GPO errors in the Event Log. Any
ideas
> > what could be causing this delay?
> >
> > Thanks
> >

Relevant Pages

  • Re: Adding domain users as local XP administrators...
    ... create the new GPO and set my policy? ... >> create a restricted group policy in the domain policy that will ... >> domain has full rights to the local machine. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: policy for one computer
    ... have applied a GPO. ... I can't seem to find the specific security policy that directs a ... > you need to have no GPO setting that policy so that local security policy ... >> I have changed policies for all, ...
    (microsoft.public.security)
  • Restricted Group Policy not working in timely manner
    ... We have defined "Domain Admins" as a restricted group in the Default ... Domain Policy GPO. ... A normal GPUPDATE will not do ... GPO Refresh Frequency has not been modified from default settings. ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted Group Policy not working in timely manner
    ... > the GPO has changed. ... > cycle by modifying this policy: ... >> We have defined "Domain Admins" as a restricted group in the Default ... >> GPO Refresh Frequency has not been modified from default settings. ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted Group Policy not working in timely manner
    ... a GPO will not be processed if it has not changed since the last ... cycle by modifying this policy: ... The problem is that if we add someone to the> restricted group it can take well over a couple hours for the policy to ... A normal GPUPDATE will not do> anything, but a "GPUPDATE /FORCE" ran on a DC does work to force the> policy to remove the user from the restricted group. ...
    (microsoft.public.windows.group_policy)
Loading