User security tokens are only updated during authentication. This means that if you have a group membership change and then connect to a remote resources you can get that new token if you completely break any previous sessions with the remote resource, then purge your kerberos tickets, and then reconnect to the resource. For interactive logons (i.e. you have a desktop associated with the logon) you need to log off and log on.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen Sent: Saturday, May 14, 2005 1:18 PM To: [email protected] Subject: [ActiveDir] "Sticky" group membership Environment: Three W2K3 DC's and ten WTS (no SP1), all located on the same subnet. We have GPO's applied based on group membership. A few policies are only intended to be active for some hours, blocking execution of specific applications. After adding the users to the group, the policy is active almost immediately on the terminal servers - but after removing users from the group, the GPO's are still applied on some. GPresult shows that the users are still seen as member of the group, while running MemberOf against every DC says they are not? How can I troubleshoot this further, and where is it possible that the membership is cached? Ole Thomsen List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
