I'm setting up security for a Windows 7 rollout, and one of the requirements is a tool that will undo user group policy for a period so a tech can have an unlocked PC to work on. I've found ways to remove policy without a problem (that I know of), but how can I tell when the next refresh will be, or set something to push it off to a certain point like say an hour after the unlock? Is it as simple as doing a refresh just before unlocking it?

You can use GPupdate to force a refresh: http://technet.microsoft.com/en-us/library/bb490983.aspx Hope this helps.

Hi, I understand that you want to refresh user group policy after unlock a while. If I’m misunderstanding, please let me know. You can try to use VBscript to refresh group policy, and create a task scheduler to run the script at log on: 1 Open task Scheduler 2 Click “Create task” on the right pane 3 On the tab of “Trigger”, click “new”. Select “At log on” at the “begin the task” 4 In “Advanced settings”, set the time of “Delay task for” 5 On the tab of “Actions”, click “new” and set your script in it 6 Click “OK” Thus, when you logon, a task of script will run after the time you have set. And if you have any question about the script, you can ask Scripting Forum for further help: The Official Scripting Guys Forum! Forum Hope that helps. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Not quite what I was looking for. I know about GPupdate and GPUPDate /force, what I want to know is how to delay the automatic refresh Windows will do in the background. I don't want to disable background refreshes all together, but I want to delay it if possible so a tech doesn't unlock a PC to have it refresh and relock on them a few minutes later. This may help As I understand there is a 90 minute default refresh with a 30 minute offset, so policy will apply every 60-120 minutes. If I run my script to remove policy and unlock it (opening up things like the control panel and other things) 45 minutes after the automatic refresh, does the tech then have somewhere between 15 and 45 minutes to work before it could relock? I would like to do something like reset the counter so they would have the whole 60-120 before it relocks, or at least pop up a window telling them when the next refresh is. I do want it to relock in case they forget to run gpupdate or log off the PC.

Hi, Maybe you can try to set the counter of Group Policy refresh to achieve your goal: 1 Click “Start” 2 Input “gpedit.msc” in Search box and press Enter 3 Go to Computer Configuration---Administrative Templates---System---Group Policy 4 Double click “Group Policy refresh interval for computers” 5 You can set the time of how often Group Policy is applied 6 Click “OK” Hope that helps. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Through more testing I've found that if I run gpupdate and then wait a few seconds after it finishes, whack some registry keys and restart explorer it does what I'm looking for and resets the counter for when the next policy refresh will be. The issue now is trying to read programatically from the Group Policy event log to be able to tell the tech when that next refresh will be. The info is all there but I've run into what appears to be a dll limitation that it can't find that log and keeps defaulting back to the applications log.

Hi, Sorry for my late reply. Could you please give me more information about the dll limitation error? Or you can make a screenshot to me: How to capture a screenshot to Technet Forum ========================= 1) Press the Print Screen key (PrtScn) on your keyboard. 2) Click the "Start" menu, type "mspaint" in the Search Bar and Press Enter. 3) In the Paint program, click the "Edit" menu, click "Paste", click the "File" menu, and click "Save". 4) The "Save As" dialogue box will appear. Type a file name in the "File name:" box, for example: "screenshot". 5) Make sure "JPEG (*.JPG;*.JPEG;*.JPE;*.JFIF)" is selected in the "Save as type" box, click “Desktop” on the left pane and then click "Save". 6) Then Upload to SkyDrive. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

There isn't an actual error, it returns the application log instead of the operational one I am trying to get to. I first tried using Autoit which will use that dll. I made the assumption that it's a limitation since when I called the Group Policy Operational log by the name Windows lists it by, it returns the application one instead, which is default behavior. I am using 32 bit code. This is the function I'm trying to use http://msdn.microsoft.com/en-us/library/aa363672(VS.85).aspx And here is the thread I read to come to this point. http://www.autoitscript.com/forum/topic/103883-reading-from-additional-vistawin7-event-logs/ The call ends up looking something like this $hEventLog = _EventLog__Open ("", "Microsoft-Windows-GroupPolicy/Operational") Is there another way to get to this information?

Hi, I’m afraid there is no other way to get this information. Usually we can view the GPO event logs in Event Viewer---Windows Logs---System. So if you want to get the information of log like $hEventLog = _EventLog__Open ("", "Microsoft-Windows-GroupPolicy/Operational"), you need open event log by the link of MSDN. Since this related with MSDN of Windows Diagnostics, I suggest to contact MSDN Forum for further help: http://social.msdn.microsoft.com/Forums/en-US/category/windevdiagnostics The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Since this need support from MSDN of Windows Diagnostics, I will mark my reply as answer, it could help other communities here who have the same issue. Thanks for your understanding and hope you will find the solution there. Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.