Not entirely the case - you can force a renewal of the Kerberos token to reflect the changed group membership by running KLIST.exe under the computer's system account. However, that's a bit of a convoluted process; rebooting the box is simpler.
-Malcolm -----Original Message----- From: Charlie Kaiser [mailto:[email protected]] Sent: Thursday, February 18, 2010 8:57 AM To: NT System Admin Issues Subject: RE: Gpupdate /force not forcing update Groups apply to the AD account. Like a user account, logging off and back on is required to modify the security token. How do you log off a computer account? Reboot... Changing many policy settings can be done without a reboot. Group memberships can't. *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: John Hornbuckle [mailto:[email protected]] > Sent: Thursday, February 18, 2010 7:47 AM > To: NT System Admin Issues > Subject: Gpupdate /force not forcing update > > I just had a bit of weirdness with a machine not updating its group > policy the way I expected. > > > > Yesterday I removed a machine (Vista) from a group using ADUC. Today > when I ran gpresult on the machine, it still showed that it was a > member of the group. The time stamp of the last policy update was > recent, and I checked the DC the machine had gotten the update from > and confirmed that that DC knew the machine was no longer a member of > the group. Yet the machine still thought it was. > > > > So I ran gpupdate /force, then another gpresult after that. > Same thing-the machine still showed as being a member of the group I > had removed it from nearly 24 hours earlier. > > > > Lastly, I rebooted the machine. Logged back in, ran gpresult, and all > was fine. The machine was no longer a member of the group. > > > > My question is, why didn't gpupdate /force accomplish this? > If a reboot was necessary for the change to apply, normally gpupdate > will tell me that. It didn't, though. > > > > Is this a bug, or by design? > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > > > > > > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that will be > disclosed to the public and the media upon request. > E-mail communications may be subject to public disclosure. > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
