After comparing it to a refresh where I just issued a regular old gpupdate, I saw the following command, which explained why gpupdate /force worked: I spent some time digging around the gpsvc.log to see if I could understand what was happening in this case. To cut to the punch line, if you issue a gpupdate /force command on the machine in question–this will trigger the machine to update it’s cached AD location to reflect the AD object move, and process the correct policy immediately. That was the gist of the Twitter conversation–why does this happen and how can I work around it? There is some caching of object location that goes on within the Group Policy engine. That said, what is curious is that the Group Policy engine doesn’t actually detect the move of the object right away. That means that the GPOs that apply to that computer will potentially be different.
Let’s say you move a computer account from the Marketing OU to the Sales OU. As we know, the Group Policy that applies to a computer or user is a function of what GPOs are linked to the container(s) path that the computer or user object are part of. A question came up on Twitter the other day related to how Group Policy behaves on a given client, when you move either the computer or user account in Active Directory.
0 kommentar(er)
