Discussion:
Active Directory group membership changes
(too old to reply)
Patrick
2010-04-21 22:23:01 UTC
Permalink
Hi,

I have a conundrum that I cannot figure out.

Expected result:
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.

Current result:
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.

The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).

Test machines have been:
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client

Kind regards,
Patrick
Richard Mueller [MVP]
2010-04-22 15:18:36 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
What you experience is the expected result. When you logon you get a token
with the SID of all security groups you belong to (including memberships due
to group nesting). When the user accesses a resource, this token is compared
the DACL associated with the resource to determine permissions. If the user
is added to (or removed from) a group, the token is not refreshed. The user
must log off and logon again to get a new token.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
familie couwenberg -evers
2010-06-20 22:45:57 UTC
Permalink
Post by Richard Mueller [MVP]
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
What you experience is the expected result. When you logon you get a token
with the SID of all security groups you belong to (including memberships
due to group nesting). When the user accesses a resource, this token is
compared the DACL associated with the resource to determine permissions.
If the user is added to (or removed from) a group, the token is not
refreshed. The user must log off and logon again to get a new token.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
c***@hotmail.com
2010-06-09 09:19:21 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
Alfred Mohler
2010-08-19 16:32:37 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
yunus emre aybar
2010-06-25 06:08:26 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
MICHAEL MELLISH
2010-06-28 13:29:41 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
WHTS UP LADIES AND GENTS WELCOME
Jennie Randle
2010-07-13 02:28:14 UTC
Permalink
Hello I do not know anything about this.
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
d***@yahoo.com
2010-07-15 12:00:57 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
节能
2010-07-18 16:31:13 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
Al Dunbar
2010-07-24 20:37:46 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result?
Yes, it is.
Post by Patrick
The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
What "LDAP call" are you referring to? If you are changing group membership
with an LDAP call, you should still have the same result, i.e. the user will
only enjoy the permission change conferred by the group membership change
when logging on *after* the group membership change has been made (or has
been replicated to the DC against which the user is logging on.

The reason is that group membership is NOT determined by NTFS (or most other
systems that work with AD group security) by checking either the memberof
property of the user or the members property of the group. It would be far
to time-consuming for those transactions to take place as needed, because of
the traffic with the DC that would involve.

When a user logs on to a domain member computer, a token is created that
belongs to his session that somehow captures all of his/her group
memberships. It is this token that is used to arbitrate access based on
permissions given to security group.

/Al
Post by Patrick
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
denise searles
2010-08-10 17:47:58 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
h***@hotmail.com
2010-08-27 04:04:34 UTC
Permalink
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
r***@gmail.com
2013-06-03 15:30:05 UTC
Permalink
Hi Patrick,

Well the issues you are facing is of SQL Authentication. This is just because the data base that is created is of different name and you want to login by different name. For this i can say please use a third party tool such as Lepide Auditor For AD. This tool enable you to give all the compliance report and moreover it helps you to generate a real time reports also.

Please download the tool from the given link ...

http://www.lepide.com/active-directory-audit/

Hope it helps

Thanks.
Post by Patrick
Hi,
I have a conundrum that I cannot figure out.
User access network share, user gets access denied.
AD admin updates group membership to add user.
User gains access (immediately + directory service update period) to
previously denied share.
User access network share, user gets access denied.
AD admin updates a user's group membership.
User attempts to access immediately, access denied.
User waits 15 minutes, access denied.
User waits 24 hours, access denied.
User waits 48 hours, access denied.
User logs out, logs in, access granted.
The question is, is this an expected result? The end result is I'm working
on an applicaiton that needs near instantaneous group update details and
using the GetAuthorizationGroups call, I get this result (and with the above
tests). If this is not an expected result, what could I be doing wrong in
setup? If this is the expected norm, other than direct LDAP calls, is there
another option to which I can do this same call process? (Yes, LDAP call
does reflect the change immediately).
Win2k8 + AD
Win2k8 file server
WinXP client
Win7 client
Kind regards,
Patrick
Loading...