none
Incorrect Group Membership for a user account in GPResult output

    Question

  • Hi,

    We have a mixed environment of Windows Server 2003 and Server 2008 R2 DCs. We had an account that was member of a domain global group. We removed it from that group and it is not showing as member in ADUC or in Net User output. However, it is still showing as a member in gpresult output and there is a group policy being applied based on that group membership and the user account is still getting it.

    Any ideas how to clear it from AD?

    Thanks

    Wednesday, April 11, 2012 12:57 PM

Answers

  • Hello,

    Maybe the such deletion have not been replicated to all DCs.

    Please run dcdiag /v on all DCs you have and check if there is any errors. Also, run repadmin /syncall and check results.

    You can also ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer


    Wednesday, April 11, 2012 1:27 PM
  • Hi,

    I agree with Mr X. This can be an issue of DC Replication.

    In the meantime, I suggest we log off and log on this user again to test the result.

    Please give it a try and let us know the result.

    Regards

    Kevin

     


    TechNet Community Support

    Thursday, April 12, 2012 3:30 AM

All replies

  • Please explain.

    how the Group policy is defined?

    Group policy is using Default ADM or ADMX or its a Custom ( If it is a custom then it might be an issue with GPO Tattoing).

    Let us know what kind of Group policy,

    Also if possible post the results of gpresult /h c:\gpresult.htm

    Understanding Policy Tattoing.

    http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, April 11, 2012 1:07 PM
  • Hello,

    Maybe the such deletion have not been replicated to all DCs.

    Please run dcdiag /v on all DCs you have and check if there is any errors. Also, run repadmin /syncall and check results.

    You can also ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer


    Wednesday, April 11, 2012 1:27 PM
  • Hi,

    Have you checked that the machine onto which the user is logging is processing group policy correctly? If you're using gpresult, make sure you verify the "Last time Group Policy was applied" line to ensure the user's not working off cached policy settings.

    You might also want to verify this through running the following command from a command prompt on that user's desktop (does not need to be run as an administrator):

    whoami /groups

    Depending on what this comes back with, it might even point you back to troubleshooting one or more domain controllers. But I'd start with looking at client-side policy events in either Event Viewer (on Windows Vista or later) or UserEnv.log (Windows XP/2003 and prior).

    Cheers,
    Lain

    Wednesday, April 11, 2012 1:35 PM
  • Hello,

    have you checked on the DCs that replication as occured for the changes? Use repadmin to get a detailed overview.

    http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, April 11, 2012 4:42 PM
  • Hi,

    I agree with Mr X. This can be an issue of DC Replication.

    In the meantime, I suggest we log off and log on this user again to test the result.

    Please give it a try and let us know the result.

    Regards

    Kevin

     


    TechNet Community Support

    Thursday, April 12, 2012 3:30 AM
  • Hi,

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
     
    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
     
    Best Regards
     
    Kevin


    TechNet Community Support

    Tuesday, April 17, 2012 2:28 AM