Reg Group membership update

  • 71 Views
  • Last Post 10 September 2015
Bharathian posted this 08 September 2015

Hi all,   I need an advise on how to go about for troubleshooting the access token or PAC in the client system.

  The problem is, I recently observed that the group membership for the user account is not appearing properly. The groups are appearing only after the 2nd logon.   For eg:

  1.        UserA is logged onto his system. 2.       UserA is added to the group “Testing access” in AD. 3.       UserA logged off and logged in again. 4.       Whoami /groups doesn’t show the Testing access group. 5.       Again the UserA logged off and logged in again. 6.      Now the whoami /groups is showing the testing access group.     Note: If we remove the group or add any other group also, it is showing the same behavior. And the Respective DC where the group is added is in the same site as the client. And this behavior is appearing only if we move the computer account to 1 OU.   But I am not able to find any OU specific settings and also I tried for other user accounts in the same machine. If I test the same user account in another machine in another OU, then it is showing the groups immediately.   Thanks Bharathi

L&T-Construction   This Message and its contents is intended solely for the addressee and is proprietary. Information in this mail is for L&T Business Usage only. Any Use to other than the addressee is misuse and infringement to Proprietorship of L&T Construction. If you are not the addressee please return the mail to the sender.
L&T Construction.
 

Order By: Standard | Newest | Votes
ZJORZ posted this 08 September 2015

Is the client authenticating against the same DC where the change of the group is processed? Check client site membership with:·         NLTEST /DSGETSITE·         NLTEST /DSADDRESSTOSITE:<DC> /ADDRESSES:<IP ADDRESS> Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

Bharathian posted this 08 September 2015

Hi Jorge,

 

It is not authenticating to the same DC, as we have 4 DCs in the same site, but I ensured before logoff that group change is replicated to all the DCs.

 

Thanks

Bharathi

 

show

gkirkpatrick posted this 08 September 2015

Sounds like the user is authenticating with a different DC where the group is being modified…. Have you checked which DC the client is authenticating with?

 

-g

 

show

ZJORZ posted this 08 September 2015

Something tells me it is replicating latency. Try the following:·         Make the change on the DC·         Force outbound replication from that DC to other DCs·         Login What’s the OS of the DCs? Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

gkirkpatrick posted this 08 September 2015

Hi Bharathi,

 

I assume it’s a single domain?

 

If you move the machine to another OU, does everything work normally? If so, I would suspect some sort of GP problem, but I can’t think of what it would be.

 

-g

 

show

Bharathian posted this 08 September 2015

I checked the groups before log off in all the 4 DCs and it is replicated. And still If I logoff and login it wouldn’t come. Only the second time it appears.



 

I suspect the access token, is not updating after the logon.. But I wonder where do I check….

 

show

Bharathian posted this 08 September 2015

Hi Gill,

 

Yes if I move it to another OU, this behavior disappear.. But I am not able to find any GP linked only to that OU, only the common GPs are linked.

 

show

kbatlive posted this 09 September 2015

Is it consistently failing for this user or that particular group? This is a long shot (this happened to me however[1] which is why I mention it at all) – is the user a member of too many groups (including nesting)?  Perhaps the Kerberos token size is getting exceeded[2]…and depending upon the order of group processing, the user becomes a member (or not) depending upon that order when the DC generates the token? Why it works in one OU but not another is a different question…but if it is repeatable, that is enormously easier to troubleshoot. [1] and was painful.  Domain admins is removed from all member servers/workstations and only granted access when necessary (usually via a group) – and at one point, due to nesting, my DA account became intermittently inoperative due to the nesting (to around 450 groups at one point!) [2] default is 12,000 bytes – but if the user is a member of many groups or many domain local groups (including nested groups) – that 12,000 byte limit could be exceeded. 

show

Bharathian posted this 10 September 2015

Hi,

 

There are only few groups are involved for this account, and anyway we are getting the groups when we login the second time.



 

This issue is resolved now by changing a group policy setting “Always

wait for the network at computer startup and logon – Enabled




 

Once we have enabled this, the groups are showing correctly. I think the problem was after the first login, the newly added group is added in the token (tested with folder where

the read permission is enabled only to the new group), but it was not showing when we ran the whoami command. After enabling this setting, I think the system processed everything and once you logon the group is appearing now.

 

The reason being it was only appearing in one OU was, that 1 OU belongs to 1 particular location and the network might be slow, which in turn made the group policy to refresh

only after the logon.

 

Thanks for everyone, who responded..

J

 

Thanks

Bharathi.

 

show

Close