Under what conditions does new group membership take effect?

[John Park]

I created a new user named Mike in AD which is set up with Windows Server
2003 as member of group "domain users",I logged on a Windows XP Professional
computer with Mike.Because of the membership, Mike couldn't change the
system time.

After logged on, I put Mike into the group "Domain Admins". Then I logged
off Mike and logged on back again. What I expected is that Mike could change
the system time, but he couldn't. I tried to logged off Mike and Logged on
back one more time, this time Mike could change the time.

I have tried some settings related to membership, the results were the same,
I needed to logon twice to make the settings take effect.I wonder what the
problem is? Can anybody give me some suggestions.

Thanks in advance.

 

[Erdem_Y@MCSE]

what your AD building single or multiple ?

 

[Guest]

I've been wondering about this, as I've seen it in my test lab.

In your case I'm assuming very small environment, e.g. one DC. If not, then
this will be a replication issue, as mentioned by Erdem_Y@MCSE.

Two things that I can think of:

1. It's an XP caching/ client optimisation thing.
2. The info. isn't updated in the GC immediately.


XP does a lot of caching, and things to speed the boot time and minimise
bandwidth. There's lots of issues like this with GPO. Perhaps this is the
cause? I would say it's more than likely this than an issue with the DC/GC
request.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Dean Wells [MVP]]

If you could answer a few questions, it may lead to an answer or
explanation -

How many DCs do you have?
How many domains do you have?
Which version of the operating system are your DCs running?
How much time passed (after making the change) before logging back on?

 

[Herb Martin]

AD User: the next time the user in question logs
on to a Computer which is authenticating with a
DC which has completed the replication of the
group membership change.

Usually at next logon.

Computer group membership: Next time the
user logs on.

I created a new user named Mike in AD which is set up with Windows Server
2003 as member of group "domain users",I logged on a Windows XP Professional
computer with Mike.Because of the membership, Mike couldn't change the
system time.

After logged on, I put Mike into the group "Domain Admins". Then I logged
off Mike and logged on back again. What I expected is that Mike could change
the system time, but he couldn't. I tried to logged off Mike and Logged on
back one more time, this time Mike could change the time.

I have tried some settings related to membership, the results were the same,
I needed to logon twice to make the settings take effect.I wonder what the
problem is? Can anybody give me some suggestions.

You were probably waiting for replication to the
DC which authenticated the user.

 

[John Park]

Single one.

what your AD building single or multiple ?

 

[John Park]

1.Only one DC.
2.Only one Domain.
3.DC's version is Windows Server 2003 Enterprise Edition Evaluation Copy
(Build 3790.srv03_rtm.03024-2048)
4.About 10 seconds before logging back on.

If you could answer a few questions, it may lead to an answer or
explanation -

How many DCs do you have?
How many domains do you have?
Which version of the operating system are your DCs running?
How much time passed (after making the change) before logging back on?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

I created a new user named Mike in AD which is set up with Windows
Server 2003 as member of group "domain users",I logged on a Windows
XP Professional computer with Mike.Because of the membership, Mike
couldn't change the system time.

After logged on, I put Mike into the group "Domain Admins". Then I
logged off Mike and logged on back again. What I expected is that
Mike could change the system time, but he couldn't. I tried to logged
off Mike and Logged on back one more time, this time Mike could
change the time.
I have tried some settings related to membership, the results were
the same, I needed to logon twice to make the settings take effect.I
wonder what the problem is? Can anybody give me some suggestions.

Thanks in advance.

 

[Dean Wells [MVP]]

Are you still able to reproduce this behavior, I cannot?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

1.Only one DC.
2.Only one Domain.
3.DC's version is Windows Server 2003 Enterprise Edition Evaluation
Copy (Build 3790.srv03_rtm.03024-2048)
4.About 10 seconds before logging back on.

If you could answer a few questions, it may lead to an answer or
explanation -

How many DCs do you have?
How many domains do you have?
Which version of the operating system are your DCs running?
How much time passed (after making the change) before logging back
on? --
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

I created a new user named Mike in AD which is set up with Windows
Server 2003 as member of group "domain users",I logged on a Windows
XP Professional computer with Mike.Because of the membership, Mike
couldn't change the system time.

After logged on, I put Mike into the group "Domain Admins". Then I
logged off Mike and logged on back again. What I expected is that
Mike could change the system time, but he couldn't. I tried to
logged off Mike and Logged on back one more time, this time Mike
could change the time.
I have tried some settings related to membership, the results were
the same, I needed to logon twice to make the settings take effect.I
wonder what the problem is? Can anybody give me some suggestions.

Thanks in advance.

 

[John Park]

Problem still exist.
Anyway,Thanks for your help!

Are you still able to reproduce this behavior, I cannot?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

1.Only one DC.
2.Only one Domain.
3.DC's version is Windows Server 2003 Enterprise Edition Evaluation
Copy (Build 3790.srv03_rtm.03024-2048)
4.About 10 seconds before logging back on.

If you could answer a few questions, it may lead to an answer or
explanation -

How many DCs do you have?
How many domains do you have?
Which version of the operating system are your DCs running?
How much time passed (after making the change) before logging back
on? --
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

John Park wrote:
I created a new user named Mike in AD which is set up with Windows
Server 2003 as member of group "domain users",I logged on a Windows
XP Professional computer with Mike.Because of the membership, Mike
couldn't change the system time.

After logged on, I put Mike into the group "Domain Admins". Then I
logged off Mike and logged on back again. What I expected is that
Mike could change the system time, but he couldn't. I tried to
logged off Mike and Logged on back one more time, this time Mike
could change the time.
I have tried some settings related to membership, the results were
the same, I needed to logon twice to make the settings take effect.I
wonder what the problem is? Can anybody give me some suggestions.

Thanks in advance.

 

[John Park]

I think the answer from ptwilliams is right.

After I changed my Windows XP Professional with Windows Server 2003
Enterprise Edition, the problem is resolved.

Anybody can tell me how to reslove the cache problem with Windows XP
professional?

Thanks ptwilliams for your information.

 

[Herb Martin]

I think the answer from ptwilliams is right.

PT is a smart fellow and if he says he thinks he sees
it in the lab, then I for one will take it seriously BUT he
is only suspicious, not convinced (or ready to proclaim)
and MOST such problems are going to be due to
authentication or replication.

The caching probably due to old information that CANNOT
be updated right now due to either failure to replicate or
failure to authenticate.

So until you eliminate these as causes, don't jump to
conclusion.

[It's similar to a decade ago when viruses really were
not that common but the average beginner was convinced
every hard disk problem or anything else was a virus
infrection.]

After I changed my Windows XP Professional with Windows Server 2003
Enterprise Edition, the problem is resolved.

Anybody can tell me how to reslove the cache problem with Windows XP
professional?