I think I found a solution, at least I cannot provoke the error anymore. Tests showed that the error was connected to one DC, every time the false mebership was active it was the latest installed DC that processed the logon.
Investigation eventlogs on the DC gave sporadic warnings of "group membership cache refresh". I turned off Universal Group Membership Caching, and now all seems to be well :-) What I don't understand is why this setting was influencing a global group, but maybe someone here can enlighten me? Thanks, Ole Thomsen > -----Original Message----- > From: Ole Thomsen > Sent: Saturday, May 14, 2005 10:11 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] "Sticky" group membership > > I am well aware of the fact that group membership is only > updated during > a new logon. > > But this "false" membership can stick for several days, and we reboot > the terminal servers every night. My test user were removed from the > group two days ago, and still get the GPO applied on some of the > servers. > > As far as I can see the membership is recognized correctly on the > network and file servers - just not during logon. > > Thanks, > Ole Thomsen > > > > > > -----Original Message----- > > From: joe [mailto:[EMAIL PROTECTED] > > Sent: Saturday, May 14, 2005 8:42 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] "Sticky" group membership > > > > User security tokens are only updated during authentication. > > This means that > > if you have a group membership change and then connect to a > > remote resources > > you can get that new token if you completely break any > > previous sessions > > with the remote resource, then purge your kerberos tickets, and then > > reconnect to the resource. For interactive logons (i.e. you > > have a desktop > > associated with the logon) you need to log off and log on. > > > > joe > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > > Sent: Saturday, May 14, 2005 1:18 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] "Sticky" group membership > > > > Environment: Three W2K3 DC's and ten WTS (no SP1), all > > located on the same > > subnet. > > > > We have GPO's applied based on group membership. > > > > A few policies are only intended to be active for some > hours, blocking > > execution of specific applications. > > > > After adding the users to the group, the policy is active > > almost immediately > > on the terminal servers - but after removing users from the > > group, the GPO's > > are still applied on some. > > > > GPresult shows that the users are still seen as member of the > > group, while > > running MemberOf against every DC says they are not? > > > > How can I troubleshoot this further, and where is it > possible that the > > membership is cached? > > > > Ole Thomsen > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
