Announcement

Collapse
No announcement yet.

Active Directory membership not refreshing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory membership not refreshing

    Hi,

    i created a script based on group membership to map drives. 24 hours after adding or deleting groups, some users don't get group membership refresh. Looking at whoami /all the info provided is outdated.

    How can I troubleshoot this? I took a look at Troubleshooting Active Directory technet article (Changes to group memberships are not taking effect) but solution is very generic. I tried some Active Directory utilities but I can't figure out where does the problem resides and how to fix it.

    Regards,
    Salva.

  • #2
    Re: Active Directory membership not refreshing

    Are they logging off at least once?
    Check group policy for the lifetime of tickets
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Active Directory membership not refreshing

      Yes they are logging off for sure. I don't know which is the relationship of AD group membership and Group Policy, but in any case how could I check this?

      Regards,
      Salva.

      Comment


      • #4
        Re: Active Directory membership not refreshing

        At logon a user gets a Kerberos ticket containing (among other things) their group membership
        The ticket is renewed every 10 hours by default but this is a setting controlled by group policy:
        http://www.windowsitpro.com/article/...d-by-kerberos-

        Logon also issues a new ticket

        Are you sure the script is running OK -- can you post it, and how are you applying it?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Active Directory membership not refreshing

          Do a gpresult on an affected users PC and it will also show you what group a user is a member of.

          How many DC's in your Org?? Is replication working ok??

          Please run a DCDIAG and NETDIAG on DC's.

          Maish also has a superb PS script that will check your replication and it can be found here http://technodrone.blogspot.com/2010...atus-with.html

          (I'm hoping its the same Maish that is on our very own forum )

          Comment

          Working...
          X