Re: Group Policy is refreshing, but not working
- From: rosevilleca@xxxxxxxxx
- Date: Thu, 24 Jul 2008 10:44:44 -0700 (PDT)
On Jul 24, 9:20 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
Hello rosevill...@xxxxxxxxx,
That policies are processed correctly make sure that on all domain machines
only domain internal DNS servers are used, no ip addresses from external
DNS servers like your ISP's. Please post an unedited ipconfig /all from a
problem machine and your DNS server. Also make sure the the policy is linked
to the OU where the computers are located.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
We set up a restricted group policy using the "member of" method to
add a group to the local administrators group of all the PC's in an
OU.
The policy works and adds the group on first reboot, but when the
group is manually removed from a client's local administrators group,
there is a very long delay before the group is re-added.
I checked the group policy refresh interval and it's set for 30
minutes with a 30 minute offset, so 60 minutes is the longest amount
of time it takes before it would refresh.
I also checked to make sure the refresh was working on the client by
running the Group Policy Results report on the machine and it does
show "Last time Group Policy was processed" refreshing on time between
30 minutes and an hour.
Despite the policy refreshing, the deleted group is not re-added to
the local administrators group even after rebooting the client.
The group is re-added to the client's local admins group only under
the following scenarios:
If I wait 24 hours and reboot, the group is re-added.
If I run gpupdate with the "force" switch at the client, the group is
re-added.
If I make any edits to the group policy, the group is re-added.
Shouldn't the group automatically re-add during the time of the
refresh interval (30-60 minutes)?
How can this be fixed?
I tried running the gpmonitor tool, but I don't see any kind of
instructions on how to use it. The help file has nothing usefeul,
just a glossary.- Hide quoted text -
- Show quoted text -
I think I have it figured out and it's probably working as designed.
The delay is caused by Client Side Extensions and thoses only refresh
every 16 hours. That's why it worked when I waited overnight. The
Group Policy refresh interval of every 30 minutes only checks to see
that the policy was applied to the machine, it doesn't verify that the
settings on the machine still match the settings specified in the
policy.
Every 16 hours the CSE reloads the policy and that's when user changes
would be overwritten by the policy again.
I'm not sure that is a satisfactory method of applying policy for us,
but that's the way it was designed.
We will look at changing the CSE interval to a shorter period if it
doesn't cause too much overhead on the workstations or the network.
.
- References:
- Group Policy is refreshing, but not working
- From: rosevilleca
- Re: Group Policy is refreshing, but not working
- From: Meinolf Weber
- Group Policy is refreshing, but not working
- Prev by Date: Configuring Desktop Policy
- Next by Date: Re: Apply Short Date Format through GPO on Domain
- Previous by thread: Re: Group Policy is refreshing, but not working
- Next by thread: Configuring Desktop Policy
- Index(es):
Relevant Pages
|
