none
User won't add to an AD security group

    Question

  • Hello,

         I've been scouring around the last few days and I've come up empty handed with an issue I'm having on a personal domain and I'm hoping someone here can point me in the right direction.

         I have a domain controller set up in a lab environment running Server 2012 RU with three computers and three users joined to the domain.  I'm currently attempting to apply group policy via AD security groups but I've hit a dead end.  I've created the users and moved them to a nested OU, we'll call it SiteA>Users.  I then created a global security group called Control Panel Restriction and placed it in a nested OU in SiteA>Groups, and joined one of the users to the security group.  I then created a group policy and configured it to restrict all access to the control panel and linked it to the SiteA OU.  In security filtering I've removed the authenticated users group and added the Control Panel Restriction group.

         The first time the user is joined to a security group it seems to work fine.  If I remove the user from the group and run gpupdate /force, the user can once again access the control panel.  From that point going forward, however, it's as if the user is never added to a security group again.  I can add the user directly to the security filtering section of the GPO and it works, but it's like security group membership will not update anymore for that user.

         Troubleshooting:  I've verified the permissions of the security group for the GPO and made sure it has read and apply group policy access, I've created a test user and placed it in the Control Panel Restriction security group and policy applied successfully (once), so I know the group works.  I ran a gpresult /r for the user and found the group policy IS being applied, but it's being denied through security filtering.  In the group membership section of the gpresult report it indicates the user is only a member of the default security groups in AD, not the custom made security group, even though a quick inspection of AD proves otherwise.

         Any advice?

    Saturday, January 24, 2015 4:37 AM

Answers

  • After you add, or remove, a user from a group, ensure that the changes have replicated/propagated across the DC's (waiting for your replication cycle time is usually enough), then, ensure that the user logs off, and then log the user on again.

    The logoff/logon cycle is typically important, since the user's security token is constructed at logon, and the token is constructed based on group memberships at the time of logon.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Corren28 Saturday, January 24, 2015 3:47 PM
    Saturday, January 24, 2015 8:12 AM

All replies

  • After you add, or remove, a user from a group, ensure that the changes have replicated/propagated across the DC's (waiting for your replication cycle time is usually enough), then, ensure that the user logs off, and then log the user on again.

    The logoff/logon cycle is typically important, since the user's security token is constructed at logon, and the token is constructed based on group memberships at the time of logon.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Corren28 Saturday, January 24, 2015 3:47 PM
    Saturday, January 24, 2015 8:12 AM
  • That...was incredibly simple.  I love it.  Thank you Don, I was running gpupdate /force but hadn't stopped to think to let the token rebuild.  Now it works beautifully.
    Saturday, January 24, 2015 3:46 PM