1

On a Win2008 Domain Controller, I've changed an user account property "Account is sensitive..."

Of course, I want that GPO to apply immediately

So I try gpupdate (or gpupdate /force), but it doesn't seem to work !?

I have to reboot my domain computer, then logon again with the user account to make it work !?

Another way ?

The solution is here Is there a way to refresh computer group membership without rebooting?

2
  • 3
    Seems like you are confusing Group Policy with Account properties
    – Greg Askew
    Commented Nov 15, 2014 at 17:42
  • You're right, I thought Account properties were managed by GPO too...
    – Stef
    Commented Nov 15, 2014 at 22:42

1 Answer 1

5

As already commented, the "Account is sensitive and cannot be delegated" flag is a user account attribute, not a GPO setting.

If you've checked this box and want to make sure that the change is immediately replicated everywhere, you can use repadmin to force it:

repadmin /replsingleobj * source-dc01.domain.tld CN=SensitiveUser,OU=Users,DC=domain,DC=tld
2
  • Ok, but doesn't work... I found that "klist purge" does the job !
    – Stef
    Commented Nov 15, 2014 at 22:41
  • 1
    It most certainly works, just not the way you expect :) The repadmin /replsingleobj command makes sure that the setting is replicated to all domain controllers, so that the next time you have a kerberos ticket issued, it takes effect. The setting itself does not retroactively update kerberos tickets Commented Nov 16, 2014 at 13:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .