Discussion:
gpupdate for specific user (not current user)
(too old to reply)
byron b
2006-11-13 23:41:54 UTC
Permalink
Is there a way to update a specific (or all cached on the machine) user
policies for a workstation. For example, if I want to refresh the
currently logged in user's policy I can do it via GPUPDATE. Is there a
way to do a GPUDATE for a specific user account? What I'm trying to do
is lock down mmc access to GPMC to a certain OU, but it only gets the
updated policy when the account is actually logged into the machine.
If the user acount(s) are accessed via "run as" it uses the cached user
policy (without the restrictions) and it is essentially able to bypass
the new restrictions. I can't disable "run as" functionality, so thats
not an option. Anyone have any ideas?
mtstream
2006-11-14 01:48:01 UTC
Permalink
I can't think of a way - My understanding is that GP controls through the
registry (HKey Local Machine or Current User). Without logging in there's no
Current User hive to edit (other than the user who is logged on).

Could you limit by computer OUs? You can deny access based on a Computer
Configuration GP that would apply reguardless of who's logged in or "run as."
Post by byron b
Is there a way to update a specific (or all cached on the machine) user
policies for a workstation. For example, if I want to refresh the
currently logged in user's policy I can do it via GPUPDATE. Is there a
way to do a GPUDATE for a specific user account? What I'm trying to do
is lock down mmc access to GPMC to a certain OU, but it only gets the
updated policy when the account is actually logged into the machine.
If the user acount(s) are accessed via "run as" it uses the cached user
policy (without the restrictions) and it is essentially able to bypass
the new restrictions. I can't disable "run as" functionality, so thats
not an option. Anyone have any ideas?
byron b
2006-11-14 02:20:55 UTC
Permalink
nahh.. i was just hoping to be able to solve a problem using this
method... if its not possible, then i'll just deny the ability to
modify GPOs on the tree itself. thanks for the response.
Post by mtstream
I can't think of a way - My understanding is that GP controls through the
registry (HKey Local Machine or Current User). Without logging in there's no
Current User hive to edit (other than the user who is logged on).
Could you limit by computer OUs? You can deny access based on a Computer
Configuration GP that would apply reguardless of who's logged in or "run as."
Post by byron b
Is there a way to update a specific (or all cached on the machine) user
policies for a workstation. For example, if I want to refresh the
currently logged in user's policy I can do it via GPUPDATE. Is there a
way to do a GPUDATE for a specific user account? What I'm trying to do
is lock down mmc access to GPMC to a certain OU, but it only gets the
updated policy when the account is actually logged into the machine.
If the user acount(s) are accessed via "run as" it uses the cached user
policy (without the restrictions) and it is essentially able to bypass
the new restrictions. I can't disable "run as" functionality, so thats
not an option. Anyone have any ideas?
Loading...