Are GPO permissions in any way refreshed ?

sokkaNET

If a user logs on to his workstation, he gets all GPOs that are applied to him. If then a administrator makes the user a member of a group, and gives the group deny permissions to read the GPO.

Because of the GPO refresh, the GPO will still be running every 90-120 minutes, until the user logs on again, and get's a new token.

Am I understanding it correct? Will it make any difference if the user is denied permissions to the gpo (without making it member of a group)

ptilsen

It depends on the policy. Some policies are not processed until either startup or login. Some policies are processed as updated. The former will require a reboot or log out and log back in, respectively, while the latter does not. Running gpupdate /force will force any policies to apply that can be applied, and prompt for reboot or log or both for any policies that run at startup or login.

sokkaNET

I guess I didn't make the question totally clear.

When a user logs on, he gets a token. If the user is added to a group, (after he logged on), and that group will give (or deny) him some resources, he will have to log off and log on again, and get a new token, to get the resources.

When you force a gpupdate, you still don't get a new token (according to MS, there is no other way to get a new token, other than logging on again), so the question is, will a gpupdate actually work around the thingy .. ?

ptilsen

Sorry, I misunderstood. I would need to experiment. While indeed GPUpdate will not give a new token, the group policy and security processing occur on the domain controller, which is aware of group membership regardless of the token state on the workstation. I'm inclined to believe that the security change on the GPO ACL would be effected as soon as policy was updated, provided, again, that it is not a logon or startup policy, but I can't validate that. I say try it out and see what happens.