Yep, Dean lovingly calls this AD feature Global Group Crashing. He wasn't thrilled with the feature back when it was still in beta last I spoke to him about it.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, May 15, 2005 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] "Sticky" group membership - Solved That's because Universal Group Membership Caching also caches global groups. Didn't its name make that obvious? ;> You don't want to enable it in a Site that has both GC's and non-GC's or you'll run into the behavior you observed. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > Sent: Sunday, May 15, 2005 09:00 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] "Sticky" group membership - Solved > > I think I found a solution, at least I cannot provoke the error > anymore. > > Tests showed that the error was connected to one DC, every time the > false mebership was active it was the latest installed DC that > processed the logon. > > Investigation eventlogs on the DC gave sporadic warnings of "group > membership cache refresh". > > I turned off Universal Group Membership Caching, and now all seems to > be well :-) > > What I don't understand is why this setting was influencing a global > group, but maybe someone here can enlighten me? > > Thanks, > Ole Thomsen > > > > -----Original Message----- > > From: Ole Thomsen > > Sent: Saturday, May 14, 2005 10:11 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] "Sticky" group membership > > > > I am well aware of the fact that group membership is only updated > > during a new logon. > > > > But this "false" membership can stick for several days, and > we reboot > > the terminal servers every night. My test user were removed > from the > > group two days ago, and still get the GPO applied on some of the > > servers. > > > > As far as I can see the membership is recognized correctly on the > > network and file servers - just not during logon. > > > > Thanks, > > Ole Thomsen > > > > > > > > > > > -----Original Message----- > > > From: joe [mailto:[EMAIL PROTECTED] > > > Sent: Saturday, May 14, 2005 8:42 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] "Sticky" group membership > > > > > > User security tokens are only updated during authentication. > > > This means that > > > if you have a group membership change and then connect to > a remote > > > resources you can get that new token if you completely break any > > > previous sessions with the remote resource, then purge > your kerberos > > > tickets, and then reconnect to the resource. For > interactive logons > > > (i.e. you have a desktop associated with the logon) you > need to log > > > off and log on. > > > > > > joe > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Ole Thomsen > > > Sent: Saturday, May 14, 2005 1:18 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: [ActiveDir] "Sticky" group membership > > > > > > Environment: Three W2K3 DC's and ten WTS (no SP1), all located on > > > the same subnet. > > > > > > We have GPO's applied based on group membership. > > > > > > A few policies are only intended to be active for some > > hours, blocking > > > execution of specific applications. > > > > > > After adding the users to the group, the policy is active almost > > > immediately on the terminal servers - but after removing > users from > > > the group, the GPO's are still applied on some. > > > > > > GPresult shows that the users are still seen as member of > the group, > > > while running MemberOf against every DC says they are not? > > > > > > How can I troubleshoot this further, and where is it > > possible that the > > > membership is cached? > > > > > > Ole Thomsen > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/