Folks, the problem I reported over the last few days where groups on the DC had no effect on my workstation has been (sort of) solved, more accurately it has been circumvented. I hope you don't mind if this is on-topic for the group as it might be of general use.
A friend who is a network administrator kindly took time to drop in an examine the problem. Methodically using different domain accounts, different groups, different group memberships, many logoffs and reboots we determined that the problem only exists for my domain account named 'greg'. All other domain users behaved correctly and honoured group and membership changes on the DC. The first experiment was to utterly remove account 'greg' from everywhere and leave the domain. I then recreated 'greg' and rejoined the domain, but the problem returned. This proved that there is something internally "corrupt" with that specific account name. I can't tell where this corruption is or who to blame for it. I created a brand new account 'gregk' and it is behaving correctly. The solution is to therefore simply abandon using the account name 'greg' which has become permanently unusable for some unknown reason. I discovered one other surprising thing during this exercise: Group and membership changes on the Win2008 R2 DC do not immediately propagate out to my Win7 workstation. I'm surprised because on my old Win2003 DC the changes were immediately effective. A logoff+login is supposed to create a new token, but I find that DC changes are not picked up this way. I find I have reboot+login Win7 to pick up the changes. This seems like a step backwards, but it's only a minor irritation. So there you go, the problem is basically intractable and I had to circumvent it. Greg
