none
Computer objects get moved to new OU in AD to get different GPOs. Will those GPOs get processed before reboot?

    Question

  • This should be an easy one. I have a 2008 R2 domain and always wonder if I move a computer object to a new OU, will it eventually pick up that change and run background processing of those GPOs?, or do I have to wait until that computer is rebooted it for it to pick up the change?

    Thanks,


    Dave




    • Edited by DaveBryan37 Monday, August 31, 2015 6:04 PM
    Monday, August 31, 2015 6:02 PM

Answers

  • Am 31.08.2015 schrieb DaveBryan37:

    Let me rephrase the question.  If I move a computer object in AD so it now falls under scope of a GPO named Beta.  Will ANY(background processing, etc) of the Beta GPO computer settings be applied without the rebooting?

    Let me spell it for you:
    Yes it does. Didn't I say that?

    or do I need it to reboot so the computer picks up its new location in AD?

    It's not so difficult to test, is it?

    Joseph's answer sounds like it will not, until its loses it login ticket which normally only happens on reboot.

    It's only helpful if you're using Security filtering by groups, because group membership will than be updated (OR ON REBOOT). Doesn't have anything to do with the location of the computer account.

    Just want to make sure that is correct.

    Than test it. ;)

    Bye
    Norbert


    Dilbert's words of wisdom #34:
    When you don't know what to do, walk fast and look worried.
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

    Monday, August 31, 2015 10:00 PM

All replies

  • Hi

     By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. In addition to background updates, Group Policy for the computer is always updated when the system starts.

    Check this article for detailed information "Group Policy refresh interval for computers"

    https://technet.microsoft.com/en-us/library/cc940895.aspx

    Monday, August 31, 2015 6:06 PM
  • I know that information.  Trying to figure out if a computer will not pick up its movement in AD and process the new GPOs in a background refresh, until it reboots?

    Dave


    • Edited by DaveBryan37 Monday, August 31, 2015 6:10 PM
    Monday, August 31, 2015 6:09 PM
  • A reboot or you can run the command 

    klist -li 0x3e7 purge

    Makes a computer lose its logon ticket. Then you can run a gpupdate /force to refresh it. Useful for when you added a computer to a group but can’t restart the compute right away.


    If my answer helped you, check out my blog: Deploy Happiness

    Monday, August 31, 2015 6:28 PM
  • So computers must reboot, or run this command, before they will pickup their new location in AD?

    Dave


    • Edited by DaveBryan37 Monday, August 31, 2015 6:29 PM
    Monday, August 31, 2015 6:29 PM
  • Depends on Gpo

    There are several different ways that a client will process GPOs, and different parts of the GPO will be applied depending on what type of processing is happening.

    The two types of processing are known as Foreground and Background processing.These are defined below:

    • Foreground Processing - occurs during computer startup/shutdown and user login/logoff.All policies are processed during this time.
    • Background Processing - occurs at a regular interval in the background while clients are logged in and connected to Active Directory.  The processing interval is 90 minutes + up to 30 minutes offset (in other words, every 90 - 120 minutes) for client machines and every 5 minutes on Domain Controllers (due to the need for DCs to have a higher level of security).

    Complete article

    http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/22/understanding-the-structure-of-a-group-policy-object-part-3.aspx

    Monday, August 31, 2015 6:51 PM
  • That does not answer the question and I know that information.  Anyone else? 

    Dan Heim

    Monday, August 31, 2015 7:23 PM
  • Am 31.08.2015 schrieb DaveBryan37:
    Hi,

    That does not answer the question and I know that information.  Anyone else?

    As said, that depends. Usually a background refresh or manual gpupdate will apply the GPOs which are valid for the current location of the computeraccount. If there are settings which can only be applied at startup than you will have to wait for a reboot or use the mentioned command above.

    Regards
    Norbert


    Dilbert's words of wisdom #19:
    Am I getting smart with you? How would you know?
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/


    Monday, August 31, 2015 7:37 PM
  • Let me rephrase the question.  If I move a computer object in AD so it now falls under scope of a GPO named Beta.  Will ANY(background processing, etc) of the Beta GPO computer settings be applied without the rebooting? or do I need it to reboot so the computer picks up its new location in AD?  Joseph's answer sounds like it will not, until its loses it login ticket which normally only happens on reboot.  Just want to make sure that is correct.

    Thanks


    Dave










    • Edited by DaveBryan37 Monday, August 31, 2015 8:48 PM
    Monday, August 31, 2015 8:12 PM
  • Am 31.08.2015 schrieb DaveBryan37:

    Let me rephrase the question.  If I move a computer object in AD so it now falls under scope of a GPO named Beta.  Will ANY(background processing, etc) of the Beta GPO computer settings be applied without the rebooting?

    Let me spell it for you:
    Yes it does. Didn't I say that?

    or do I need it to reboot so the computer picks up its new location in AD?

    It's not so difficult to test, is it?

    Joseph's answer sounds like it will not, until its loses it login ticket which normally only happens on reboot.

    It's only helpful if you're using Security filtering by groups, because group membership will than be updated (OR ON REBOOT). Doesn't have anything to do with the location of the computer account.

    Just want to make sure that is correct.

    Than test it. ;)

    Bye
    Norbert


    Dilbert's words of wisdom #34:
    When you don't know what to do, walk fast and look worried.
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

    Monday, August 31, 2015 10:00 PM
  • You can execute the following commands from an elevated command prompt which should pick up new group-membership, GPOs and OU changes without a reboot. You have to run them manually though, but generally a reboot is recommended for the above changes.

    klist -lh 0 -li 0x3e7 purge
    gpupdate /force
    zxx


    Thursday, September 10, 2015 7:04 PM