Why is restarted needed for setting to take effect
Darren
Would anyone know why is I assign a policy to a group of users and computers
then a restart is need on the PC's before the settings take effect, but if I
add the users and computers individually (not in a group) then the settings
take effect at the next policy refresh time without any restart? This is
happening at the moment and I don't really want to have to add each users and
computer individually - it would take too long for a start considering you
can only add one entry at a time.
Thanks,
D
Florian Frommherz [MVP]
You are saying that you have Group Policies defined that have security
filtering applied to special AD groups - to filter the scope of the policy?
If so, this is how Windows works. This isn't a Group Policy issue but a
group membership thing as Windows only "refreshes" group membership if
the user logs out and back in / the machine is restarted. This has to do
with the access token that is generated at user logon and machine
startup - group membership is only evaluated at that time to reflect the
changes in the user's /computer's token.
Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Darren
in a group and then change the settings in the policy that the group is
assigned to, will they still need to logoff/restart for the changes to take
effect?
Thanks
Florian Frommherz [MVP]
Darren wrote:
> Many thanks for your reply - could I just check something, if I leave members
> in a group and then change the settings in the policy that the group is
> assigned to, will they still need to logoff/restart for the changes to take
> effect?
Policy application depends on the Client Side Extensions (CSE - the
pieces of software in Windows that actually apply and enforce the
settings). In general, they shouldn't have to logoff/restart the machine
to have the changes reflected. Some policies, like Software
Installation, only take place during "foreground refresh" (=
logoff/restart) while other policies like, "administrative templates",
get applied "on the fly" at a "background refresh" (=transparent,
without reboot/logoff).
Florian Frommherz [MVP]
Florian Frommherz [MVP] wrote:
> Policy application depends on the Client Side Extensions (CSE - the
> pieces of software in Windows that actually apply and enforce the
> settings).
Kurt has a table of CSEs with their refresh behavior:
http://trycatch.be/blogs/roggenk/archive/2008/06/23/understanding-group-policy-and-preferences-refresh-cycles-part-2.aspx
Florian Frommherz [MVP]
Florian Frommherz [MVP] wrote:
> http://trycatch.be/blogs/roggenk/archive/2008/06/23/understanding-group-policy-and-preferences-refresh-cycles-part-2.aspx
Cut that - the list is wrong.
Darren
if a user is a Domain Admin do they get the policy settings applied as per a
normal user? I have assigned a group to a policy and changed some settings
in the policy, then at the refresh interval those settings have taken effect
without a logoff or restart. However they have not taken effect for some
users, and those users are Domain Admins.
Thanks,
D
Florian Frommherz [MVP]
Group Policy also affects Domain Admins by default. I suspect you have
changed the security settings (security filtering) in a way that domain
admins (or those particular users) do not have the permission to apply
the policy correct.
Other than that -- are the users in question (that don't apply the
policy correctly) targets of the policy (= in the OU or a subOU the
policy is linked to)? Remember that Group Policy doesn't apply to
security groups - you need to link the policy to an OU with user objects.
Darren
I think this is showing my lack of knowledge in this area :-)
I am bit confused by the last part of your reply, I thought I could create
security groups and apply policies to them? I have just created this policy
at the top level and added in the groups that I want it to be applied to.
I am not sure what is happening the with Domain Admins. I am a domain admin
and although the Group Policy Modeling and Group Policy Results show that the
setting should be applied to me and my machine, they are not. I am not doing
anything over complicated, just forcing proxy settings and disabling the
connections setting tab in Internet Explorer. I am also a local admin on my
machine, would that have any effect?
I am in the security group which has the policy applied to it, and that has
Read (from security filtering) permissions, and I am also in the Domain
Admins group which has various permissions.
Thanks for your patience.
D
Florian Frommherz [MVP]
Darren wrote:
> I am in the security group which has the policy applied to it, and that has
> Read (from security filtering) permissions, and I am also in the Domain
> Admins group which has various permissions.
That might be the problem. Group Policy only applies to users and
computers. What you need to do is, create a OU, link the GPO to the OU
and then move users or computers into that OU in order to have them
apply the policy (note: security groups won't work!).
That was step 1. The next (more advanced, often confusing step) is
security filtering. You now have all users in the OU apply the policy.
For a subset of those users, you'd modify the security settings on the
GPO so that "Authenticated Users" is removed/altered and only a subset
of all users in the OU have "Apply GP" permissions. Preferrably with a
custom security group.
The main target (users and computers) in the OUs still remain. Security
Filtering is just a further filtering of already defined "targets".
Florian Frommherz [MVP]
"Darren" wrote:
> Ah, OK, it is all starting to make sense now :-) So, if I wanted a policy
> to
> apply to 2 users that are in different OU's, would I link to policy to
> both
> OU's but then only specify the specific users in the security filtering?
Correct - that is how Group Policy works. The objects (users and/or
computers) need to be target of the GPO.