Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Incorrect Group Membership for a user account in GPResult output

Answered Incorrect Group Membership for a user account in GPResult output

  • Wednesday, April 11, 2012 12:57 PM
     
     
    Sign In to Vote
    0

    Hi,

    We have a mixed environment of Windows Server 2003 and Server 2008 R2 DCs. We had an account that was member of a domain global group. We removed it from that group and it is not showing as member in ADUC or in Net User output. However, it is still showing as a member in gpresult output and there is a group policy being applied based on that group membership and the user account is still getting it.

    Any ideas how to clear it from AD?

    Thanks

     

All Replies

  • Wednesday, April 11, 2012 1:07 PM
     
     
    Sign In to Vote
    0

    Please explain.

    how the Group policy is defined?

    Group policy is using Default ADM or ADMX or its a Custom ( If it is a custom then it might be an issue with GPO Tattoing).

    Let us know what kind of Group policy,

    Also if possible post the results of gpresult /h c:\gpresult.htm

    Understanding Policy Tattoing.

    http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx

    Regards,

    _Prashant_

    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

     
  • Wednesday, April 11, 2012 1:27 PM
     
     Answered
    Sign In to Vote
    0

    Hello,

    Maybe the such deletion have not been replicated to all DCs.

    Please run dcdiag /v on all DCs you have and check if there is any errors. Also, run repadmin /syncall and check results.

    You can also ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer


     
  • Wednesday, April 11, 2012 1:35 PM
     
      Has Code
    Sign In to Vote
    0

    Hi,

    Have you checked that the machine onto which the user is logging is processing group policy correctly? If you're using gpresult, make sure you verify the "Last time Group Policy was applied" line to ensure the user's not working off cached policy settings.

    You might also want to verify this through running the following command from a command prompt on that user's desktop (does not need to be run as an administrator):

    whoami /groups

    Depending on what this comes back with, it might even point you back to troubleshooting one or more domain controllers. But I'd start with looking at client-side policy events in either Event Viewer (on Windows Vista or later) or UserEnv.log (Windows XP/2003 and prior).

    Cheers,
    Lain

     
  • Wednesday, April 11, 2012 4:42 PM
     
     
    Sign In to Vote
    0

    Hello,

    have you checked on the DCs that replication as occured for the changes? Use repadmin to get a detailed overview.

    http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

     
  • Thursday, April 12, 2012 3:30 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    I agree with Mr X. This can be an issue of DC Replication.

    In the meantime, I suggest we log off and log on this user again to test the result.

    Please give it a try and let us know the result.

    Regards

    Kevin

     

    TechNet Community Support

     
  • Tuesday, April 17, 2012 2:28 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Kevin

    TechNet Community Support