Ah, okay. That makes sense. My goal was to change the group policy that was applied to the computer, and the policy is based on group membership. But I guess group policy and group membership aren't the same thing, and gpupdate would have no way of knowing that membership changed. It would just refresh policies based on what it THOUGHT group membership was, which apparently wouldn't chain until a reboot.
John From: Kennedy, Jim [mailto:[email protected]] Sent: Thursday, February 18, 2010 10:25 AM To: NT System Admin Issues Subject: RE: Gpupdate /force not forcing update Correct. This isn't a group policy change, it was a membership change to a group. That requires a relog, in the case of a machine a restart. From: James Rankin [mailto:[email protected]] Sent: Thursday, February 18, 2010 10:20 AM To: NT System Admin Issues Subject: Re: Gpupdate /force not forcing update Don't access tokens for group memberships only get updated when you log out (user) or restart (machine)? I may be completely wrong...I last paid attention to this sort of thing back in the Win2K days. On 18 February 2010 14:47, John Hornbuckle <[email protected]<mailto:[email protected]>> wrote: I just had a bit of weirdness with a machine not updating its group policy the way I expected. Yesterday I removed a machine (Vista) from a group using ADUC. Today when I ran gpresult on the machine, it still showed that it was a member of the group. The time stamp of the last policy update was recent, and I checked the DC the machine had gotten the update from and confirmed that that DC knew the machine was no longer a member of the group. Yet the machine still thought it was. So I ran gpupdate /force, then another gpresult after that. Same thing-the machine still showed as being a member of the group I had removed it from nearly 24 hours earlier. Lastly, I rebooted the machine. Logged back in, ran gpresult, and all was fine. The machine was no longer a member of the group. My question is, why didn't gpupdate /force accomplish this? If a reboot was necessary for the change to apply, normally gpupdate will tell me that. It didn't, though. Is this a bug, or by design? John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us<http://www.taylor.k12.fl.us> NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
