> Group memberships can't. There is actually a way to update a computer's group memberships without a reboot. We discussed it on activdir last year. In Server 2008, Microsoft added some switches to the klist.exe utility that you could use to force a refresh of the server's tokens, and thus pick up group membership changes without a reboot. The command format for doing that is:
klist -li 0×3e7 purge One of the GPO MVPs, Darren Mar Elia has blogged about it and also played with it on 2003, there it involves klist running as LocalSystem. I have not heard it discussed for Win7 but Vista was alleged to have the plumbing but is missing a resource somewhere to run klist. -----Original Message----- From: Charlie Kaiser [mailto:[email protected]] Sent: Thursday, February 18, 2010 6:57 AM To: NT System Admin Issues Subject: RE: Gpupdate /force not forcing update Groups apply to the AD account. Like a user account, logging off and back on is required to modify the security token. How do you log off a computer account? Reboot... Changing many policy settings can be done without a reboot. Group memberships can't. *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Thursday, February 18, 2010 7:47 AM > To: NT System Admin Issues > Subject: Gpupdate /force not forcing update > > I just had a bit of weirdness with a machine not updating its > group policy the way I expected. > > > > Yesterday I removed a machine (Vista) from a group using > ADUC. Today when I ran gpresult on the machine, it still > showed that it was a member of the group. The time stamp of > the last policy update was recent, and I checked the DC the > machine had gotten the update from and confirmed that that DC > knew the machine was no longer a member of the group. Yet the > machine still thought it was. > > > > So I ran gpupdate /force, then another gpresult after that. > Same thing-the machine still showed as being a member of the > group I had removed it from nearly 24 hours earlier. > > > > Lastly, I rebooted the machine. Logged back in, ran gpresult, > and all was fine. The machine was no longer a member of the group. > > > > My question is, why didn't gpupdate /force accomplish this? > If a reboot was necessary for the change to apply, normally > gpupdate will tell me that. It didn't, though. > > > > Is this a bug, or by design? > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that > will be disclosed to the public and the media upon request. > E-mail communications may be subject to public disclosure. > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
