Joe, thanks a lot for your helpful reply and sorry that my reply took so long. I am still waiting for a response because of my Microsoft Support ticket.
Its my goal to combine GPO´s with Security Groups to manage different actions of the servers in the same OU. For this reason I created some Security groups and distributed the servers to the groups. Then I checked servers by GPRESULT for the group membership and some servers updated it without measurable delay, some servers after a week and some servers never. I cant understand this behaviour and so I started a support request at MS for what I am still waiting for. As soon as I will get a official reply I will let you know. Thomas PS: IS there a another chance to check group membership for a server except GPRESULT -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von joe Gesendet: Sonntag, 10. Dezember 2006 17:41 An: ActiveDir@mail.activedir.org Betreff: RE: [ActiveDir] Group Membership Update Frequency It depends what you mean by this. The off the cuff answer is the server "knows" what it has based on its local security token so it actually never recognized the change. However.... Machines and users can have both local security tokens and kerb certs. The kerb certs are refreshed, the security token never is. Plus add in NTLM and if it is used to access remote resources you can have three answers... So the more full answer is.... "It depends." So briefly: If the security group is needed in the local security token, it will never get updated, you need to reboot. This will impact the machine's determination locally of what groups it has if the application is looking at the token OR trying to access something with Windows security locally (say like the group allows it to read a file locally). I have asked several folks inside of MSFT if there is anything that could be used to force this refresh of the security token and no one has been able to tell me there is indeed something that will do it and here is how... If so, I would have written the tool to do it if it were something they could point at. If the security group is needed for remote kerberos operations or someone is reading the kerb cert directly local to the machine, it will occur when the ticket refreshs. You can purge the kerb cache to speed this up. If the security group is needed for remote operations where NTLM is being used (say it is accessing a resource by IP instead of name so it can't do the SPN lookup), it will be used depending on whether or not the DC being used by the remote resource has the group membership or not (whether or not the DC the server itself uses has it or not is immaterial in this case because the server doesn't tell the remote resource what accessed it has, the remote resource asks its DC when it auth's the account). This could be immediately to seconds after the group update or even weeks depending on the OS revs of the DCs and the replication topology and max theoretical latency for the environment. This is all exactly the same as it is for users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: Thursday, December 07, 2006 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Membership Update Frequency hi there, when does a server recognize that he is part of AD global Security group? Do i have to reboot every system or is there an update frequency where the server checks the AD? I need this to know because i want to use the Security Group Filtering with GPO´s Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
