Are GPO permissions in any way refreshed ?

sokkaNETsokkaNET Member Posts: 6 ■□□□□□□□□□
If a user logs on to his workstation, he gets all GPOs that are applied to him. If then a administrator makes the user a member of a group, and gives the group deny permissions to read the GPO.

Because of the GPO refresh, the GPO will still be running every 90-120 minutes, until the user logs on again, and get's a new token.

Am I understanding it correct? Will it make any difference if the user is denied permissions to the gpo (without making it member of a group)

Comments

  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    It depends on the policy. Some policies are not processed until either startup or login. Some policies are processed as updated. The former will require a reboot or log out and log back in, respectively, while the latter does not. Running gpupdate /force will force any policies to apply that can be applied, and prompt for reboot or log or both for any policies that run at startup or login.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • sokkaNETsokkaNET Member Posts: 6 ■□□□□□□□□□
    I guess I didn't make the question totally clear.

    When a user logs on, he gets a token. If the user is added to a group, (after he logged on), and that group will give (or deny) him some resources, he will have to log off and log on again, and get a new token, to get the resources.

    When you force a gpupdate, you still don't get a new token (according to MS, there is no other way to get a new token, other than logging on again), so the question is, will a gpupdate actually work around the thingy .. ?
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Sorry, I misunderstood. I would need to experiment. While indeed GPUpdate will not give a new token, the group policy and security processing occur on the domain controller, which is aware of group membership regardless of the token state on the workstation. I'm inclined to believe that the security change on the GPO ACL would be effected as soon as policy was updated, provided, again, that it is not a logon or startup policy, but I can't validate that. I say try it out and see what happens.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
Sign In or Register to comment.