Just been doing some testing on using restricted groups to control the membership of local security groups. Ive been using a couple of VM machines running Win XP and this is joined to a domain running a Server 2003 DC. It seems to work fine although it doesnt seem to refresh very often. Initially I did a gpupdate /force and this cleared any extra membership of the local admin account like it was supposed to but as a test I added another account in there manually. This account wasnt removed when I logged out and back in and wasnt even removed when I did a reboot. It was only removed when I did another gpupdate /force I know these updates are periodic and it would have probably updated by itself eventually and cleared out this extra group but is there any way to control how often it refreshes a policy like this?