We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT.
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 11:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials Curious. After trying those, how did you validate that the user's group membership wasn't affected? On 11/29/06, Ken Cornetet < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Ok, this is really strange... I tried Al Munick's suggestion of having the user change their password via a three-finger salute. That did not update cached group membership. I tried Guy Teverovsky's suggestion to do a "runas" while VPN connected. It did not update cached group membership. James Aurther Wells suggested that the group membership would be updated by a workstation process discussed in KB824302. We connected via VPN and let things sit for 4 hours - no cached group membership update. Since I mentioned that we used Psynch, Idan Shoham of M-Tech pointed me to an ActiveX control that forces an update of cached credentials on the workstation when the Psynch web app is used to change passwords. After configuring Psynch to run the ActiveX control, the user gets the group policy that was controlled by group membership. Now this is where things gets weird: GPRESULT shows that the policy IS applied, but does NOT show the user as being a member of the group that gets the policy! Huh? Now my question is where does GPRESULT look for group membership information? It does not appear to be looking the same place that the group policy processing engine looks! -----Original Message----- From: Ken Cornetet Sent: Wednesday, November 22, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: Updating cached credentials Is there a way to force updating of cached credentials on an XP workstation? We have several users that seldom (if ever) connect to the corporate network directly. Instead, they log in (XP sp2) using cached credentials and connect via a Nortel VPN. We have several group policies that are filtered by group membership. The problem is that the group membership seems to be cached on the workstation, and is never updated to reflect the new membership, and group policy is never applied. Is there any mechanism for forcing this update? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/