Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 747
  • Last Modified:

Will a logoff and logon really forcefully refresh all user GPOs?

Hi experts.

I added a logon script to an existing GPO that I would like to run immediately on all clients (because users need it), so I am about to mail everyone: please logoff and on again. When doing the usual test, I noticed, that the script did not run. rsop.msc showed, that the old revision of the policy was still effective although prior to this, I had verified that both DCs had successfully replicated the new revision. After a gpupdate /force /target:user, and logging off/on, the script ran. I reproduced the problem on other PCs afterwards.

Question: MS documentation says on http://technet.microsoft.com/en-us/library/cc757597(WS.10).aspx
"In addition to background updates, Group Policy for users is always updated when they log on."
Did this change with vista? I don't think so. So what could be the problem, why would gpupdate not recognize the new revision of the policy at logon?
Clients are on vista sp2, DC is 2008 SP2.
0
McKnife
Asked:
McKnife
1 Solution
 
Bert van der SluisSystem administratorCommented:
Maybe script when on reboot that " gpupdate /force" will kick off.
Don't forget mostly the pc must reboot. So i would suggest a run ones action.
0
 
Joseph DalyCommented:
I will usually do a GPupdate /force 2 times and then log out and then back in. That usually makes all of my policies apply. I dont have a vista machine here to test but i think that should be the case as well.

I do have a few tools to offer you that may help both let you remotely refresh policy

RGPREFRESH - command line
http://www.gpoguy.com/FreeTools/FreeToolsLibrary/tabid/67/agentType/View/PropertyID/83/Default.aspx

Specops gpupdate - ties in with ad lets you add right click gpupdate option
http://www.specopssoft.com/web/specops-gpupdate.aspx
0
 
e2p2Commented:
There are two sections to all Group Polices, Computer and User.  Both sections can have script options.  The Computer section is only applied upon a reboot.  The user section is applied upon logon.  If you place your script in the Computer Configuration\WIndows Settings\ Scripts\Startup they would require a reboot to apply.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
McKnifeAuthor Commented:
@b-byte: This is a user script - if it were a computer script, you would be correct
@xxdcmast: Both these tools don't offer what I need. They are suitable for refreshing computer GPOs, not user GPOs.
@e2p2 - I know. The script uses %appdata%, so it has to be a logon script.
0
 
Joseph DalyCommented:
Both of these tools can do both user and computer GPO's

From the rgprefresh help index

/t:{Computer|User}  Specifies whether to refresh computer-specific policy user-specific policy. For both, don't specify an option.Note that the both option only works on XP & Server 2003

And I know the specops one does as well.
0
 
McKnifeAuthor Commented:
Ok...
You quote yourself "only works on XP & Server 2003" - does it work on vista? I will try, but I am quite sure, you would have to supply credentials of the user that is logged on at the moment which we cannot do.
I was already using specops - maybe my version is outdated - it definitely couldn't do user policy updates.

I'll be back.
0
 
McKnifeAuthor Commented:
Fine.
secops does the trick. rgprefresh does not (although it says it does). But my favorite is this: http://www.heidelbergit.dk/Code/OUGPUPDATE.HTA - save as hta - if executed directly vis browser (IE7/8 in protected mode) it cannot contact the domain.

BUT: Why do I need this? So again: the question is: MS writes "Group Policy for users is always updated when they log on"
Meanwhile I tested at home in another  test domain and here it works as expected. Houston, I got a problem.

Well, that's another story. Question solved, thanks xxdcmast
0
 
McKnifeAuthor Commented:
Although not an answer to my question, it solved my problem for now. Thanks.
0
 
McKnifeAuthor Commented:
OK, for whom it may concern: one DC was dying, this seems to be the root cause.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now