[gptalk] Re: Security Filtering Computer Based Policies

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 20 Aug 2008 08:48:27 -0700


When you add/remove computers from security groups, it typically requires a
reboot of the computer for it to pick that group membership in its token. I
have heard, which could explain what you're seeing, that this group
membership is refreshed during a Kerberos ticket refresh, which I believe
happens every 8 hours by default, but I haven't tested it yet.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Sent: Wednesday, August 20, 2008 8:45 AM
To: undisclosed-recipients:
Subject: [gptalk] Security Filtering Computer Based Policies


As part of a rollout for a specific policy we are applying to the company,
we are pushing a policy that will be effected by security filtering at the
outset.  It works, and I can test it and when I check the GPResults I
definitely see that the policy was denied by security.


To perform the security filtering, I created a security group, added the
computer accounts that I do NOT want to be affected by the policy, and then
denied that security group the ability to apply the group policy.  As I
stated before, it works.   but slowly.


I was wondering if anyone else could explain why after making a change to
the membership of the security group, it seems to take "some time" for the
change to take effect as far as the security filtering is concerned.  I know
it's not a replication issue (if that even matters) as I push out the
changes to the other DCs, yet it still takes awhile for the change in the
security group to effect the security filtering applied against the GPO.


Any thoughts?






Best way to <http://abcnews.go.com/print?id=5351908>  annoy your co-workers?


Other related posts: