Group Policy and Machine Groups

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Quick question, I have a GPO policy created that I have applied to a
security group. The security group consists of serveral machines,
whats the deal behind why I can get the policy to update unless I
reboot the machine? The policy is a machine policy, and basically
just applies a security template. But no matter what I do as far as
running secedit /refreshpolicy machine_policy /enforce , it still wont
pick up on the fact that the machine is now part of this security
group I created. Once I reboot and re-run it, it shows thats its part
of the group.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Joining a computer to a security group is much the same as joining a user to
a security group.
If they are both logged on prior to adding them to the group, their access
tokens will not contain the SID for the new group.
You must re-authenticate with AD to get an updated token that has the new
group SID.
Simply put, the workstation does not know it is a member of the new group
until you reboot it.

Hope that helps.
--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


"Duane Haas" <dhaas@suduhaas.com> wrote in message
news:c5bbaec2.0410181758.400ff4dc@posting.google.com...
> Quick question, I have a GPO policy created that I have applied to a
> security group. The security group consists of serveral machines,
> whats the deal behind why I can get the policy to update unless I
> reboot the machine? The policy is a machine policy, and basically
> just applies a security template. But no matter what I do as far as
> running secedit /refreshpolicy machine_policy /enforce , it still wont
> pick up on the fact that the machine is now part of this security
> group I created. Once I reboot and re-run it, it shows thats its part
> of the group.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

There are clever tricks like deleting all machine account kerberos tickets
using klist. But it is probably more trouble to set that up than it is to
initiate a reboot.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


"Glenn L" <the.only@gmail.com> wrote in message
news:erImHBYtEHA.1272@TK2MSFTNGP12.phx.gbl...
> Joining a computer to a security group is much the same as joining a user
to
> a security group.
> If they are both logged on prior to adding them to the group, their access
> tokens will not contain the SID for the new group.
> You must re-authenticate with AD to get an updated token that has the new
> group SID.
> Simply put, the workstation does not know it is a member of the new group
> until you reboot it.
>
> Hope that helps.
> --
> Glenn L
> CCNA, MCSE 2000, MCSE 2003 + Security
>
>
> "Duane Haas" <dhaas@suduhaas.com> wrote in message
> news:c5bbaec2.0410181758.400ff4dc@posting.google.com...
> > Quick question, I have a GPO policy created that I have applied to a
> > security group. The security group consists of serveral machines,
> > whats the deal behind why I can get the policy to update unless I
> > reboot the machine? The policy is a machine policy, and basically
> > just applies a security template. But no matter what I do as far as
> > running secedit /refreshpolicy machine_policy /enforce , it still wont
> > pick up on the fact that the machine is now part of this security
> > group I created. Once I reboot and re-run it, it shows thats its part
> > of the group.
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Just to follow up, the group policies will only apply to the objects
contained in an OU. If you create a security group under an empty OU and
link a policy to it, the policy will NOT apply. Security groups can only be
used for filtering the policy via permissions. If you want the policy to
affect computers, you need to move the actual computer objects into that OU.

HTH

Ken


"Glenn L" <the.only@gmail.com> wrote in message
news:OlDSIgYtEHA.1276@TK2MSFTNGP12.phx.gbl...
> There are clever tricks like deleting all machine account kerberos tickets
> using klist. But it is probably more trouble to set that up than it is to
> initiate a reboot.
>
>
> --
> Glenn L
> CCNA, MCSE 2000, MCSE 2003 + Security
>
>
> "Glenn L" <the.only@gmail.com> wrote in message
> news:erImHBYtEHA.1272@TK2MSFTNGP12.phx.gbl...
>> Joining a computer to a security group is much the same as joining a user
> to
>> a security group.
>> If they are both logged on prior to adding them to the group, their
>> access
>> tokens will not contain the SID for the new group.
>> You must re-authenticate with AD to get an updated token that has the new
>> group SID.
>> Simply put, the workstation does not know it is a member of the new group
>> until you reboot it.
>>
>> Hope that helps.
>> --
>> Glenn L
>> CCNA, MCSE 2000, MCSE 2003 + Security
>>
>>
>> "Duane Haas" <dhaas@suduhaas.com> wrote in message
>> news:c5bbaec2.0410181758.400ff4dc@posting.google.com...
>> > Quick question, I have a GPO policy created that I have applied to a
>> > security group. The security group consists of serveral machines,
>> > whats the deal behind why I can get the policy to update unless I
>> > reboot the machine? The policy is a machine policy, and basically
>> > just applies a security template. But no matter what I do as far as
>> > running secedit /refreshpolicy machine_policy /enforce , it still wont
>> > pick up on the fact that the machine is now part of this security
>> > group I created. Once I reboot and re-run it, it shows thats its part
>> > of the group.
>>
>>
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom