December 30, 2019 at 6:15 am #625525
I’ve got Windows Server 2012R2 domain and clients with Windows 10 Pro. I noticed that Windows clients refresh user group membership change after 2 relogin/reboot not after first relogin.
Is it Windows Server or Windows 10 bug? How to fix it?
wullieb1ModeratorDecember 30, 2019 at 5:44 pm #625526
Your not making any sense.
Have you created a GPO that changes the group memberships of certain groups within the Windows 10 local groups?
Or are the members of these groups changing without any interaction from GPO or any other means?
If its the first then this is by design as its the way that the GPO’s are applied when you are logging in. Sometimes you need 2 reboot/logins for the settings to be processed correctly.December 31, 2019 at 4:21 am #625527
I’m not changing Windows 10 local group membership – I mean changing AD security group membership for user. I think it’s not GPO issue, there is no gpo policy concerned to group membership changing. I read that it should work after logout and login or after removing all Kerberos ticket with klist. None of these methods work. Everytime I need 2 logouts or 2 reboots to view new membership on Windows 10 client.
RicklesPParticipantDecember 31, 2019 at 8:36 am #625528
Q: how many domain controllers are there in your system? Reason: just because you change a user’s group membership thru Active Directory Users & Computers, does not mean such a change is instantaneous across the entire domain. There is domain replication to think of, when the DCs sync up with each other. Your change is made immediately on whichever DC you’re connected to, but replication to other DCs can take a few minutes, depending on how your environment is set up. If you’re making the user change and then immediately trying to see such a change on a user’s login, your user’s login could be talking to a different DC.
When you make your change in AD, force a sync between the DCs using the AD Sites and Services MMC and then try the user’s login again. Another thing to consider is user’s profile caching on the Win10 client, but that shouldn’t be an issue if your client’s access to the network is solid.December 31, 2019 at 9:19 am #625529
The problem is that it’s only one domain controller. It should work after relogin instantly but it doesn’t and I don’t know why.
OssianModeratorJanuary 1, 2020 at 3:27 am #625558
I cannot remember if it applies to groups, but with GPOs (which can push group membership) it is well known that it will take 2 logins / reboots to be sure of picking the change up. This is due to caching of the previous set of policies, which are applied during startup / login, then asynchronously refreshed from a DC (on workstations – servers download and apply the current settings). There is a GP setting to change this behaviour, which might be worth looking into.
You must be logged in to reply to this topic.