Dynamic Refresh of Domain Global Groups with GPO applied

[talboum]

I have various GPOs linked to Domain Global Groups. When I want a user to get the GPO applied, I would add the user to the specific Global Group. The only issue is that the policy will not take effect until the user performs a logoff/logon. GPUpdate does not seem to work in this case because the GPOs are linked to a Global Group not an OU. How can I programatically get the system to refresh its Global Group membership without having the user logoff/logon?

Thanks in advance for your assistance.

-T

[JerryC]

Clarification You do not "link" GPOs to security groups. You use groups to "filter" the targets of a GPO. What is important is that you Link and Enable a GPO onto a parent OU which contains the target User Accounts or Machine Accounts. The OU location of the Domain Global group is immaterial.

I believe that you are using a GPO that is linked to an OU that contains User accounts. The GPO uses a Domain Global group to "filter" the GPO to specific user accounts.

Then, when you add a user's account to the Domain Global group, you state that background processing of GPOs does not apply the new setting until the user logs off and then logs back on.

===============================

You are describing the expected behavior. A user's security token is created whenever they log on. Until they log off and log back on, that security token does not contain the new global (or universal or domain local) group information. When the user logs back on, their new security token then contains the new security group membership information and the GPO system applies the "newly effective" group policy object to their account.

You "can" get a new GPO to apply using background refresh processes by "filtering" the GPO, but you must use a security group in which the user's account is already a member.