1

I'm running into an odd situation: domain group membership as reported by Group Policy differs from that of Active Directory.

DOMAIN\user.name was already a member of DOMAIN\some_group_1. I added it to the AD group DOMAIN\some_group_2. The command gpresult /v now reports that DOMAIN\user.name is NOT a member of DOMAIN\some_group_2, while the Active Directory Users and Computers snap-in clearly shows that it is.

Both groups have Global scope and were created using the WSE 2016 Dashboard.

This situation is preventing Group Policy Preferences from creating a registry entry for this user, an entry that's targeted for all users in DOMAIN\some_group_2.

Why isn't Group Policy picking up the new membership?

As an aside, Get-ADPrincipalGroupMembership user.name run at the DC reports that the user is a member of Domain Users only.

--EDIT--

I should clarify that I'm connecting to the domain using two computers via two methods: 1) LAN; 2) Remote VPN. The symptoms are identical on both connections.

InteXX
  • 713
  • 13
  • 31
  • You are aware that group membership changes don't take effect until the user logs out and back in? Have you checked what `whoami /groups` says for the user? – Harry Johnston May 04 '19 at 03:05
  • @HarryJohnston ~ Signing out and back in yields no improvement. `whoami /groups` reports the same membership info that `gpresult /v` does — `DOMAIN\some_group_2` isn't present in either list (but it is present in the snap-in at the server). – InteXX May 04 '19 at 03:24
  • Do you have more than one site? If so, where was the change to the group membership made? Has the change to the group membership replicated to all other DC's? What does gpresult /r state about what DC that GP was applied from? – joeqwerty May 04 '19 at 03:45
  • @joeqwerty ~ A limitation of WSE is that you can have only one DC. You can have a member server, but no BDCs are allowed. In this case it's hosted in a VM, but that probably isn't relevant to this issue. I'm connecting to the domain using two computers via two methods: 1) LAN; 2) Remote VPN. The symptoms are identical on both connections. – InteXX May 04 '19 at 04:44
  • Try removing the client from the domain and then rejoining it. – Harry Johnston May 04 '19 at 07:33
  • @HarryJohnston ~ Which client? If it were a client-side issue, wouldn't the symptom likely manifest on only one of them? – InteXX May 04 '19 at 07:42
  • It wasn't clear to me from your question that more than one client was affected. It still might be worth trying. Or if you prefer you could spin up a new VM running Windows and join that to the domain. Another potentially useful test would be to log into the DC as user.name and see what `whoami /groups` says in that case. If the group membership doesn't work when you're on the DC then it definitely isn't a client problem. – Harry Johnston May 04 '19 at 08:21
  • @HarryJohnston ~ Yes, you're correct—pardon me please. I only included the reference to multiple clients in the comments. I've edited the question accordingly. I like the VM idea; I'll give that a spin. In past versions, WSE has prevented non-admin authentications. But that may have changed since. I'll try it as well. – InteXX May 04 '19 at 16:40
  • @HarryJohnston ~ I just checked again, and `DOMAIN\some_group_2` is now present in the list on the LAN workstation. GP must've needed some time to update (even though I was issuing the `gpupdate` command). So we're making progress—I believe I'm going to take the issue up with our VPN vendor. – InteXX May 04 '19 at 17:01
  • 1
    The problem isn't in group policy, if it were just GP then `whoami` would have shown the right groups. The Windows authentication process isn't/wasn't functioning properly for some reason. – Harry Johnston May 04 '19 at 20:44
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/93241/discussion-between-intexx-and-harry-johnston). – InteXX May 04 '19 at 20:55

1 Answers1

1

I found the problem.

I'd connected to the VPN under the domain admin account so that I'd be able to create the new profile for the standard user account. But I hadn't yet added the user account to the VPN security group in AD, so the new profile was corrupted as of its creation.

I removed and recreated the profile, and all was well. It works correctly now, and all security groups are displaying as they should.

InteXX
  • 713
  • 13
  • 31