Do I really need to reboot for AD changes to be applied?

Posted on

QUESTION :

Every time I request a permission change the IT group at my company instructs me to wait 20 minutes and reboot the computer. I cannot believe that in this day and age you still need to reboot the computer to clear whatever cache stores the permissions locally. It feels like something out of the NT 4 days.

  • Do you actually still need to reboot the computer?
  • Is a logout/login sufficient?
  • Is there still a long time(20 minutes) for the changes to propagate through the AD tree?

ANSWER :

It depends on what the “permission change” is. If they are adding you to a group, you will need to log off/on to effect the change. If they are adding your account, or a group you are already in, to a resource, you wouldn’t need to to log off/on.

FYI: If the change is to a machine policy (which can be indirectly via loopback processing), you will need to reboot.

Running gpupdate /force then logging out then in should be fine.

Normally a logout/login should be sufficient.

gpupdate – as mentioned in another answer – will not be enough.

Most likely your IT department manages permissions with group memberships. And those are only updated on logon.

The 20 minutes are due to the default replication frequency of 15 minutes. This could be improved by enabling change notifications.

http://msdn.microsoft.com/en-us/library/how-global-catalog-servers-work(v=ws.10).aspx
Cache Refresh and the Availability of Group Changes

Leave a Reply

Your email address will not be published.