Group Policy Application
Understand Win2K's method of applying group membership changes.
August 19, 2002
By default, Windows 2000 computers reapply Group Policy every 90 minutes, plus a random offset of 30 minutes; so, within a few hours, all the authorized SQL clients should request an IPSec certificate from SqlIPSecCA. However, keep in mind that when checking access to objects, Win2K uses access tokens to determine group membership. An access token contains the user or computer account’s SID and the SIDs of all the groups to which the account belongs. Win2K builds an access token when an account logs on, then doesn’t update the token. Therefore, group membership changes that occur while a user is logged on don’t take effect until the user logs off and logs back on. Group membership changes that affect a computer account don’t take effect until the next time the computer reboots (the computer logs on to the domain when it first boots and remains logged on until it's shut down). Because many of the settings I specify in the main article depend on membership in the Authorized SQL Server Clients group, make sure those computers are rebooted after you edit the Group Policy Object (GPO), to ensure that the changes take place on a timely basis.
About the Author
You May Also Like