>From Group Policy MVP Jeremy Moskowitz's newsletter: Team:
Sometimes, you just can't wait. For instance, if you're moving a user or computer from one OU to another. And then you want to make sure that user or computer gets the latest, greatest Group Policy settings. Great. Except they won't. So, here's the lashup. You have a user named Fred and he's in the Sales OU. Now, you want to move him to the Marketing OU. So, you drag Fred (well, Fred's account, I suppose.. not Fred.. that would be funny) from Sales to Marketing. Now, you want Fred to get the Marketing settings and LOSE the Sales settings. Except he won't .. not right away. This is because the Fred's workstation still thinks Fred's account is still in the "original location" of Sales. So, what can you do? The best think you can do is log off and log back on. This flush the location from memory and re-grab it the next time it checks AD. The only problem HERE is what happens if you have a slower AD with lots and lots of DCs? You then need to make sure the DC that Fred logs on to gets the latest/greatest update of where Fred's user account now resides! You can use tools like repadmin to force replication if you have the rights. Note, in Windows 7, you can also run "gpupdate /force" which will also seem to accurately pick up a user or computer move (provided you're talking to a DC with the updated information.) XP/SP2 had a hotfix which was supposed to do this, and XP/SP3 was also supposed to be able to do this. But only Windows 7 seems to really "kick butt" with "gpupdate /force" and recognize the updated location correctly, pretty much every time. There are other uses for the /force command, which we'll explore another day. Webster > -----Original Message----- > From: Charlie Kaiser [mailto:[email protected]] > Subject: RE: Gpupdate /force not forcing update > > Groups apply to the AD account. Like a user account, logging off and > back on > is required to modify the security token. How do you log off a computer > account? Reboot... > > Changing many policy settings can be done without a reboot. Group > memberships can't. > > > -----Original Message----- > > From: John Hornbuckle [mailto:[email protected]] > > Subject: Gpupdate /force not forcing update > > > > I just had a bit of weirdness with a machine not updating its > > group policy the way I expected. > > > > > > > > Yesterday I removed a machine (Vista) from a group using > > ADUC. Today when I ran gpresult on the machine, it still > > showed that it was a member of the group. The time stamp of > > the last policy update was recent, and I checked the DC the > > machine had gotten the update from and confirmed that that DC > > knew the machine was no longer a member of the group. Yet the > > machine still thought it was. > > > > > > > > So I ran gpupdate /force, then another gpresult after that. > > Same thing-the machine still showed as being a member of the > > group I had removed it from nearly 24 hours earlier. > > > > > > > > Lastly, I rebooted the machine. Logged back in, ran gpresult, > > and all was fine. The machine was no longer a member of the group. > > > > > > > > My question is, why didn't gpupdate /force accomplish this? > > If a reboot was necessary for the change to apply, normally > > gpupdate will tell me that. It didn't, though. > > > > > > > > Is this a bug, or by design? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
