Re: Security Groups for Users Not Updating

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi
GPO has nothing to do with that.
Unless you're managing GG with restricted groups policy to your client workstations/servers, gpupdate won't do nothing for you.

If you're not using restricted groups policy and users don't get their group membership updated, check the following:
- Check if the user is logging with cached logon information.
- Check if the client machine is using a valid LOCAL DNS server.
- Check wich server is the client machine using, then go to that server and check if replication is working correctly (repadmin /showreps).
- Attempt to force replication, and try again, logoff the user and logon again.
- Type whoami /all at a command prompt and check if the problem is solved.
also look at:
When you add a user to a global group in Microsoft Windows Server 2003, the user's membership is not recognized immediately
http://support.microsoft.com/kb/871159/en-us

If you're using restricted or some script to manage client local groups, re-check your configurtations again and make sure that client computer is in the correct OU.

--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

"GarrettD78" <GarrettD78@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:14E83730-2227-47C8-B405-AF97B4A7A767@xxxxxxxxxxxxxxxx
No they are regular Global Security Groups. Most of them control access to
shares for individual departments. We have some users that move around every
other month or so. I noticed when I was moving the users this month they
didn't get any of their new permissions.
If I run a gpresult then I see the groups they are members of and I can see
whether they were added or deleted. Even after logging the user out and
logging back in it doesn't change. But then if I run a gpupdate the computer
will force a log out and then the groups work correctly. I can't figure out
why the users suddenly won't update their perimissions. Thanks

"Jorge de Almeida Pinto [MVP - DS]" wrote:

are you talking restricted groups?

what do you mean with:
>> >I have a very small AD domain that is running in mixed mode. When I >> >make
>> > changes to users, moving them in and out of security groups the >> > users
>> > does
>> > not get updated with either the group being removed from the user or
>> > the
>> > group getting added to the users even after logging in and logging >> > out.
>> > I
>> > actually have to use gpupdate to get the Security group edits that I
>> > have
>> > done.

can you explain more?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"GarrettD78" <GarrettD78@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8A32447A-F57C-4986-89B0-65A32B29A78D@xxxxxxxxxxxxxxxx
> Right. I understand you have to log on and log off to have the access
> tokens
> rebuilt, but those aren't updating even after logging off. The only way > I
> have found the groups get updated is if I run gpupdate.
>
> "Jorge de Almeida Pinto [MVP - DS]" wrote:
>
>> nope, normal behavior!
>>
>> when a user logs on, an access token is built with the group >> membership
>> and
>> privileges.
>> to reflect changes the access token must be changed and for that you >> need
>> to
>> logoff and logon again.
>>
>> * when in mixed mode: includes all global groups
>> * when in native mode and higher: includes all global groups, >> universal
>> groups and domain local groups
>>
>> -- >>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>> "GarrettD78" <GarrettD78@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:17D4C767-D91D-4517-A138-02F55C28E28F@xxxxxxxxxxxxxxxx
>> >I have a very small AD domain that is running in mixed mode. When I >> >make
>> > changes to users, moving them in and out of security groups the >> > users
>> > does
>> > not get updated with either the group being removed from the user or
>> > the
>> > group getting added to the users even after logging in and logging >> > out.
>> > I
>> > actually have to use gpupdate to get the Security group edits that I
>> > have
>> > done. Could this be caused by the mixed mode or am I looking at >> > another
>> > problem? Thanks
>>
>>
>>




.

Relevant Pages

  • Re: Security Groups for Users Not Updating
    ... gpupdate won't do nothing for you. ... Check if the user is logging with cached logon information. ... Check if the client machine is using a valid LOCAL DNS server. ... When you add a user to a global group in Microsoft Windows Server 2003, ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to log messages _only once_ from all modules ?
    ... When I implement logging, I think that due to preparation, I get the same message more than once. ... $ cat -n server.py ... from server import Server ... self.client_logger.warning("This message comes from Client ...
    (comp.lang.python)
  • Re: How to log messages _only once_ from all modules ?
    ... When I implement logging, I think that due to preparation, I get the same message more than once. ... $ cat -n server.py ... from server import Server ... self.client_logger.warning("This message comes from Client ...
    (comp.lang.python)
  • Re: Track Domain User Logons and Logoffs
    ... >In Kerberos, computers are actually logging in and out, ... >client can be sure who the server is. ... principal logging in. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: LOGONSERVER question
    ... If you run set at the command prompt on the client you get a logonserver ... server, which returns a list of DC's to the client ordered so that his local ... > logging on to other DC, ... >> to at the home site but she keeps on logging on to other sites that is ...
    (microsoft.public.win2000.active_directory)