Ben- When you add/remove computers from security groups, it typically requires a reboot of the computer for it to pick that group membership in its token. I have heard, which could explain what you're seeing, that this group membership is refreshed during a Kerberos ticket refresh, which I believe happens every 8 hours by default, but I haven't tested it yet. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of WATSON, BEN Sent: Wednesday, August 20, 2008 8:45 AM To: undisclosed-recipients: Subject: [gptalk] Security Filtering Computer Based Policies As part of a rollout for a specific policy we are applying to the company, we are pushing a policy that will be effected by security filtering at the outset. It works, and I can test it and when I check the GPResults I definitely see that the policy was denied by security. To perform the security filtering, I created a security group, added the computer accounts that I do NOT want to be affected by the policy, and then denied that security group the ability to apply the group policy. As I stated before, it works. but slowly. I was wondering if anyone else could explain why after making a change to the membership of the security group, it seems to take "some time" for the change to take effect as far as the security filtering is concerned. I know it's not a replication issue (if that even matters) as I push out the changes to the other DCs, yet it still takes awhile for the change in the security group to effect the security filtering applied against the GPO. Any thoughts? Thanks, ~Ben _______________________________________ Best way to <http://abcnews.go.com/print?id=5351908> annoy your co-workers? E-mail.