+ Reply to Thread
Results 1 to 4 of 4
  1. Junior Member
    Join Date
    Jul 2008
    Posts
    6
    #1

    Default Are GPO permissions in any way refreshed ?

    If a user logs on to his workstation, he gets all GPOs that are applied to him. If then a administrator makes the user a member of a group, and gives the group deny permissions to read the GPO.

    Because of the GPO refresh, the GPO will still be running every 90-120 minutes, until the user logs on again, and get's a new token.

    Am I understanding it correct? Will it make any difference if the user is denied permissions to the gpo (without making it member of a group)
    Reply With Quote Quote  

  2. SS -->
  3. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #2
    It depends on the policy. Some policies are not processed until either startup or login. Some policies are processed as updated. The former will require a reboot or log out and log back in, respectively, while the latter does not. Running gpupdate /force will force any policies to apply that can be applied, and prompt for reboot or log or both for any policies that run at startup or login.
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Jul 2008
    Posts
    6
    #3
    I guess I didn't make the question totally clear.

    When a user logs on, he gets a token. If the user is added to a group, (after he logged on), and that group will give (or deny) him some resources, he will have to log off and log on again, and get a new token, to get the resources.

    When you force a gpupdate, you still don't get a new token (according to MS, there is no other way to get a new token, other than logging on again), so the question is, will a gpupdate actually work around the thingy .. ?
    Reply With Quote Quote  

  5. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #4
    Sorry, I misunderstood. I would need to experiment. While indeed GPUpdate will not give a new token, the group policy and security processing occur on the domain controller, which is aware of group membership regardless of the token state on the workstation. I'm inclined to believe that the security change on the GPO ACL would be effected as soon as policy was updated, provided, again, that it is not a logon or startup policy, but I can't validate that. I say try it out and see what happens.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks