Just been doing some testing on using restricted groups to control the membership of local security groups. Ive been using a couple of VM machines running Win XP and this is joined to a domain running a Server 2003 DC. It seems to work fine although it doesnt seem to refresh very often. Initially I did a gpupdate /force and this cleared any extra membership of the local admin account like it was supposed to but as a test I added another account in there manually. This account wasnt removed when I logged out and back in and wasnt even removed when I did a reboot. It was only removed when I did another gpupdate /force I know these updates are periodic and it would have probably updated by itself eventually and cleared out this extra group but is there any way to control how often it refreshes a policy like this?
It's been a while since I've had to deal with this, but if my memory serves me correctly, the default refresh interval is 90 minutes. It is possible to change the interval, however; check out this article for more information.
Security Policy settings set in a GPO refresh a little differently than other GPO settings, nice write up here: http://www.windowsecurity.com/artic...cy-Security-Settings-Refresh-Application.html
