1

On a Win2008 Domain Controller, I've changed an user account property "Account is sensitive..."

Of course, I want that GPO to apply immediately

So I try gpupdate (or gpupdate /force), but it doesn't seem to work !?

I have to reboot my domain computer, then logon again with the user account to make it work !?

Another way ?

The solution is here Is there a way to refresh computer group membership without rebooting?

Community
  • 1
Stef
  • 612
  • 1
  • 6
  • 15

1 Answers1

5

As already commented, the "Account is sensitive and cannot be delegated" flag is a user account attribute, not a GPO setting.

If you've checked this box and want to make sure that the change is immediately replicated everywhere, you can use repadmin to force it:

repadmin /replsingleobj * source-dc01.domain.tld CN=SensitiveUser,OU=Users,DC=domain,DC=tld
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • Ok, but doesn't work... I found that "klist purge" does the job ! – Stef Nov 15 '14 at 22:41
  • 1
    It most certainly works, just not the way you expect :) The `repadmin /replsingleobj` command makes sure that the setting is replicated to all domain controllers, so that the *next* time you have a kerberos ticket issued, it takes effect. The setting itself does not retroactively update kerberos tickets – Mathias R. Jessen Nov 16 '14 at 13:00