Re: Restricted Group Policy not working in timely manner
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/10/04
- Next message: Sabo, Eric: "Re: Splitting up group Policies"
- Previous message: Jerold Schulman: "Re: domain password policy"
- In reply to: Darren Mar-Elia: "Re: Restricted Group Policy not working in timely manner"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 10 Dec 2004 08:05:52 -0700
Interesting info Darren, but the OP should not have to
use that info. The change he is making should reflect
rapidly into his effective policies, at least that is how
a membership change in a restricted group for Domain
Admins functions in my AD.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message news:esKVjSj3EHA.3092@TK2MSFTNGP10.phx.gbl... > By default, a GPO will not be processed if it has not changed since the last > processing cycle. Security policy (including restricted groups) is an > exception to this rule and will process every 16 hours regardless of whether > the GPO has changed. You can change this value to a smaller number by > following the directions here: > http://support.microsoft.com/default.aspx?scid=kb;en-us;277543 > > Alternatively, you can set the Security CSE to process during every refresh > cycle (Foreground or Background) by modifying this policy: Computer > Configuration|Administrative Templates|System|Group Policy|Security Policy > Processing|Process even if the GP objects have not changed. However keep in > mind that if you have any "expensive" settings in your sec. policy, like > file and registry permissions, this can really slow down your workstations > if its refreshing during every cycle (esp. on a DC at 5 min. intervals). > > > -- > Darren Mar-Elia > MS-MVP-Windows Server--Group Policy > Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub: > FAQs, Whitepapers and Utilities for all things Group Policy-related > > > > "boomboom21" <chris.boom@qci.com> wrote in message > news:1102623354.763153.243720@z14g2000cwz.googlegroups.com... > > We have defined "Domain Admins" as a restricted group in the Default > > Domain Policy GPO. The problem is that if we add someone to the > > restricted group it can take well over a couple hours for the policy to > > remove that user from the group. A normal GPUPDATE will not do > > anything, but a "GPUPDATE /FORCE" ran on a DC does work to force the > > policy to remove the user from the restricted group. The only > > difference between GPUPDATE and GPUPDATE /FORCE (from what I can tell) > > is that GPUPDATE only refreshes policies that have changed....and > > GPUPDATE /FORCE refreshes all policies regardless of change??? > > > > GPO Refresh Frequency has not been modified from default settings. If > > I'm correct, this policy should be refreshed on DC's every 5 minutes by > > default. I am not seeing any GPO errors in the Event Log. Any ideas > > what could be causing this delay? > > > > Thanks > > > >
- Next message: Sabo, Eric: "Re: Splitting up group Policies"
- Previous message: Jerold Schulman: "Re: domain password policy"
- In reply to: Darren Mar-Elia: "Re: Restricted Group Policy not working in timely manner"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
