I am well aware of the fact that group membership is only updated during a new logon.
But this "false" membership can stick for several days, and we reboot the terminal servers every night. My test user were removed from the group two days ago, and still get the GPO applied on some of the servers. As far as I can see the membership is recognized correctly on the network and file servers - just not during logon. Thanks, Ole Thomsen > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Saturday, May 14, 2005 8:42 PM > To: [email protected] > Subject: RE: [ActiveDir] "Sticky" group membership > > User security tokens are only updated during authentication. > This means that > if you have a group membership change and then connect to a > remote resources > you can get that new token if you completely break any > previous sessions > with the remote resource, then purge your kerberos tickets, and then > reconnect to the resource. For interactive logons (i.e. you > have a desktop > associated with the logon) you need to log off and log on. > > joe > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen > Sent: Saturday, May 14, 2005 1:18 PM > To: [email protected] > Subject: [ActiveDir] "Sticky" group membership > > Environment: Three W2K3 DC's and ten WTS (no SP1), all > located on the same > subnet. > > We have GPO's applied based on group membership. > > A few policies are only intended to be active for some hours, blocking > execution of specific applications. > > After adding the users to the group, the policy is active > almost immediately > on the terminal servers - but after removing users from the > group, the GPO's > are still applied on some. > > GPresult shows that the users are still seen as member of the > group, while > running MemberOf against every DC says they are not? > > How can I troubleshoot this further, and where is it possible that the > membership is cached? > > Ole Thomsen > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
