Solution for gpupdate /force won't apply the new filter group GPO, but computer restart will

-

 

Solution for gpupdate /force won't apply the new filter group GPO, but computer restart will

We’ve observed that machines recently added to a new group may not receive the updated Group Policy settings when running gpupdate /force. However, the policies apply successfully after a system restart.

This behavior is typically due to group membership token caching. When a machine is added to a new group, the updated group membership isn’t immediately reflected in the current session. A restart forces a refresh of the security token, allowing the correct policies to apply.

In this specific case, the affected machine was added to a group two days ago, and the GPO was applied to that group via Security Filtering. To ensure the updated group membership is recognized, the Kerberos ticket on the client machine needs to be purged.

This can be achieved by running the following command:

klist purge -li 3e7

Alternatively, a system reboot will also refresh the token and apply the correct policies.


Comments

Post a Comment

Popular posts from this blog

HP NC375i adapter in Proliant DL580 G7 stops responding

-
Image
HP NC375i adapter in Proliant DL 580 G7 server, the adapter may stop responding, requiring a  server reboot  to recover the operation of the adapter. Below is the HP advisory: HP advisory c02964542 Link: http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken&javax.portlet.prp_ba847bafb2a2d782fcbb0710b053ce01=wsrp-navigationalState%3DdocId%253Demr_na-c02964542-13%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01&ac.admitted=1395243335327.876444892.199480143 SUPPORT COMMUNICATION - CUSTOMER ADVISORY Document ID:  c02964542 Version:  10 Advisory: (Revision) HP ProLiant and HP StorageWorks Systems: HP NC375i, NC375T, NC522m, NC522SFP, NC523SFP, CN1000Q  Network Adapters  - FIRMWARE UPGRADE REQUIRED to Avoid the Loss and Automatic Recovery of Ethernet Connec...
Read more

[Batch file] - Output of a command to variable

-
If you want to set the output of a command to a value you have to capture it in a  for  statement like this: for /f "tokens=2 delims=:" %%a in ('systeminfo ^| find "OS Name"') do set OS_Name=%%a Then remove the leading spaces like this: (there is probably a better way to do this) for /f "tokens=* delims= " %%a in ("%OS_Name%") do set OS_Name=%%a A few things to note here: 1.)  "tokens=2 delims=:"  is setting the delimiter to  :  and it is selecting the second section only, which will pull only the part you want.  2.) the  |  is escaped with a  ^ , this needs to be done in  for  loops or anything after that will attempt to execute as seperate commands.  3.)  "tokens=* delims= "  The token here is * which is all tokens. ======================= Examples of WMIC output to variables: echo WMIC output to variables for /f "usebackq tokens=1,2 delims==|" %%I in (`wmic os get name^,version /format:l...
Read more