I have some groups (Universal, Security) that no longer have members inside. However when I log in as one of these members and run a gpresult, I still see the user account in the group. I have logged off and on again, and have refreshed group policy. What would cause this?

EDIT: I noticed if I log into a workstation the user is not in the group in question. When I initially checked I was logging into a Terminal Server session. Why is this?

may be the session was not logged off, but just disconnected previously and the group membership is refreshed only when logged off

I don't think that may be the case. The server was rebooted, and when I logged in again and ran a gpresult the user was still in the group. This is driving me crazy.

goosed, you don't have universal group craching enabled do you?http://cbfive.com/blog

I just checked, and it is disabled. Enabling cached logons wouldn't matter right?

cached logons and fast logon optimization can also have an impact as group membership is one of the items that is cached. the group membership cache can be found at HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership. there are a few ways that you can test if this is the issue. you can: 1. disable fast logon optimization 2. disable cached credentials or force 3. delete the local profile (!!! WARNING !!! this will delete user state and data) http://cbfive.com/blog

Thanks Rich. I will try this and let you know how I make out.

sounds good. thanks goosed.http://cbfive.com/blog

Hi, How's everything going? I want to check if the suggestion has helped. If you need further assistance, please do not hesitate to respond back.This posting is provided "AS IS" with no warranties, and confers no rights.

Hey Rich, can you tell me how to disable fat logon optimization and disable cached credentials? I did try deleting the user profile from the Terminal server but that did not work. Thanks again.

Additionally I noticed that on some terminal servers the gpresult shows the user in the correct groups. So far from my testing I've only found one server with a problem. I cannot check on a few as I'm getting a "no rsop data found" message. Is there a way to enable this?

ah, didn't realize that this was through terminal services. that changes the game a little bit. fast network logon is extremely unlikely to come into play here. can you please confirm that in troubleshooting you have multiple Terminal Servers and only 1 is experiencing the problem? are all users on that server experiencing the problem (if group membership has changed)? thx /richhttp://cbfive.com/blog

I started playing around with the GPO's; mainly removing loopback processing. It seems to have strangely made a difference in the groups.