Announcement

Collapse
No announcement yet.

Force Policy execution

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Force Policy execution

    Hi guys,
    how I can force execution of a policy in windows 2003, even if it is not modified ?
    A simple: a user modify a registry and I want always set a specific value in policy, at every logon.
    Thanks
    Roberto

  • #2
    Re: Force Policy execution

    Group policy is continually refreshed; and modifying a registry key affected by policy will not (should not?) affect the machine's configuration, because policy is overlaid onto the registry - and any changes to the "real" registry won't be seen by the machine because it's not reading it, it's reading the "virtual" registry created by the Group Policy Process.

    You could always send out a Group Policy which prevents the user running registry editing tools...?

    User Config\Administrative Templates\System\Prevent Access to Registry Editing Tools


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Force Policy execution

      Of course there's a few caveats.
      If you create a custom .adm template that doesn't modify the registry in the group policy section then if a user changes the value it won't be changed back until GP is reapplied (every 90 mins with an offset of up to 30 minutes). Other settings behave like this as well i.e. Restricted Groups.

      To force GP update run:
      On XP and 2003: gpupdate
      On 2000 (comp config): secedit /refreshpolicy machine_policy
      On 2000 (user config): secedit /refreshpolicy user_policy
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Force Policy execution

        Thanks for advice, but my problem is:
        I have a policy where in Security Filtering there is a GROUP
        if I change the group content, the policy is reapplied ?
        that's why I want always force the execution.

        Comment


        • #5
          Re: Force Policy execution

          Originally posted by Demike View Post
          Thanks for advice, but my problem is:
          I have a policy where in Security Filtering there is a GROUP
          if I change the group content, the policy is reapplied ?
          that's why I want always force the execution.
          Group policy is refreshed every 90 minutes with an offset of 30 minutes. If you make changes to GPO settings, links, and/or filtering the affected users and/or computers will be updated within 2 hours or less. For Domain Controllers it's updated every 5 minutes.
          If you want it updated sooner you need to run the tools listed above... or you can change the refresh interval.

          http://technet2.microsoft.com/Window....mspx?mfr=true
          http://support.microsoft.com/kb/203607
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Force Policy execution

            Thanks a lot
            Bye
            Roberto

            Comment

            Working...
            X