Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OU Membership user updates

Status
Not open for further replies.
VoIPP

VoIPP

MIS
Jan 28, 2009
556
US
I was hoping to apply a different set of group policies to a user by moving that user to a new OU. I would like the new polcies to apply without the user having to logon again.

It appears to me that the OU membership only updates when the user logs on.

Can anyone confirm this for me?
 
Sort by date Sort by votes
use gpupdate /force

Gpupdate.exe resides in the “%windir%\system32” folder by default, so we don't need an absolute path to its location on the remote workstation. The tool can be called with a number of different switches:

Syntax: Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync]

M. Knorr

MCSE, MCTS, MCSA, CCNA
 
Upvote 0 Downvote
In my testing...

It appears the gpudate /force causes the user to update the GPO but not the OU membership.

So gpupdate only reapplies the GPO of the OU that was in effect when the user logged on.

 
Upvote 0 Downvote
My problem is not that the group policies do not get updated they do. The problem is that the new OU membership is not recognized. Please read on...

There is only one DC.

My test procedure is....

Place account in OU-A with Policy-A
Logon account to workstation
Verify Policy Restictions are in place
Change one policy in OU-A
Move User account to OU-B
Run gpupdate /force on workstation

Results:
Policy that was changed in OU-A is now in effect, verifying the GPUpdate occured.
None of the policies in OU-B are applied indicating that the new OU membership is not recognized by GPUpdates.

My guess is that the OU membership becomes part of the logon token when a user is logged in like group memberships.
GPUpdate simply makes registry changes to HKEY_Current_User based on the OU information stored in the token.
Generally Tokens can be changed only by logging off and back on again.
 
Upvote 0 Downvote
i got your point, and i think flex command is able to handle that, because here you can choose the ou wich should be updated


i have no time to try it right now, if you dont want to, you have to wait for other solutions

good luck

M. Knorr

MCSE, MCTS, MCSA, CCNA
 
Upvote 0 Downvote
I have to disagree Lemon13.

Flex allows me to choose the OU that has the computer accounts that psexec will execute gpupdate on.

My issue is with moving User accounts to new OU's post logon specifically to apply a different set of User polcies. Computer accounts have no bearing on the issue.

I've done manually exactly what Flex is going to do automatically and that is run gpupdate on the computer.

When gpupdate is run the policies of the OU that user belonged to at the time if logon take effect and the policies of the OU that the user has been moved to are completely ignored until the next logon. Running gpudate automatically instead of manually will not change that.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
505
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC &amp; Adding back to our Network
Replies
0
Views
403
DTGMI
DTGMI
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
177
penguinroundup
penguinroundup
Leozack
  • Locked
  • Question
MDT TS move computer OU
Replies
0
Views
128
Leozack
Leozack
goombawaho
  • Locked
  • Question
Continuous RDP disconnection/reconnection for administrator user
Replies
5
Views
245
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top