Windows 10 – user group membership changing

Home Forums Server Operating Systems Windows Server 2012 / 2012 R2 Windows 10 – user group membership changing

This topic contains 5 replies, has 4 voices, and was last updated by Avatar Ossian 3 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • Avatar
    mjakubowskilkr
    Participant
    #625525

    I’ve got Windows Server 2012R2 domain and clients with Windows 10 Pro. I noticed that Windows clients refresh user group membership change after 2 relogin/reboot not after first relogin.
    Is it Windows Server or Windows 10 bug? How to fix it?

    Avatar
    wullieb1
    Moderator
    #625526

    Your not making any sense.

    Have you created a GPO that changes the group memberships of certain groups within the Windows 10 local groups?

    Or are the members of these groups changing without any interaction from GPO or any other means?

    If its the first then this is by design as its the way that the GPO’s are applied when you are logging in. Sometimes you need 2 reboot/logins for the settings to be processed correctly.

    Avatar
    mjakubowskilkr
    Participant
    #625527

    I’m not changing Windows 10 local group membership – I mean changing AD security group membership for user. I think it’s not GPO issue, there is no gpo policy concerned to group membership changing. I read that it should work after logout and login or after removing all Kerberos ticket with klist. None of these methods work. Everytime I need 2 logouts or 2 reboots to view new membership on Windows 10 client.

    Avatar
    RicklesP
    Participant
    #625528

    Q: how many domain controllers are there in your system? Reason: just because you change a user’s group membership thru Active Directory Users & Computers, does not mean such a change is instantaneous across the entire domain. There is domain replication to think of, when the DCs sync up with each other. Your change is made immediately on whichever DC you’re connected to, but replication to other DCs can take a few minutes, depending on how your environment is set up. If you’re making the user change and then immediately trying to see such a change on a user’s login, your user’s login could be talking to a different DC.

    When you make your change in AD, force a sync between the DCs using the AD Sites and Services MMC and then try the user’s login again. Another thing to consider is user’s profile caching on the Win10 client, but that shouldn’t be an issue if your client’s access to the network is solid.

    Avatar
    mjakubowskilkr
    Participant
    #625529

    The problem is that it’s only one domain controller. It should work after relogin instantly but it doesn’t and I don’t know why.

    Avatar
    Ossian
    Moderator
    #625558

    I cannot remember if it applies to groups, but with GPOs (which can push group membership) it is well known that it will take 2 logins / reboots to be sure of picking the change up. This is due to caching of the previous set of policies, which are applied during startup / login, then asynchronously refreshed from a DC (on workstations – servers download and apply the current settings). There is a GP setting to change this behaviour, which might be worth looking into.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.