gpresult /r report shows user as a domain admin when he is not

Orlando Guerra 20 Reputation points
2024-05-17T21:57:44.9533333+00:00

I was troubleshooting a GPO for a windows user when i stubble into something weird.

The gpresults /r show he is a member of Domain Admins, Enterprise Admins and Schema Admins. I have check AD for those groups and he is not a member of any listed above. There are no groups listed under his memberships as members either. Where is gpresults /r get this?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,060 questions
0 comments No comments
{count} votes

Accepted answer
  1. S.Sengupta 16,481 Reputation points MVP
    2024-05-18T01:46:38.8733333+00:00

    Windows can sometimes cache group memberships. You can clear cached credentials:

    klist purge

    gpupdate /force

    Then run gpresults /r again to see if the output changes.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Yanhong Liu 3,740 Reputation points Microsoft Vendor
    2024-05-20T07:31:15.6633333+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Based on your description, this may be caused by the following reasons:

    Latency or replication issues: AD replication may not be complete, especially in a multi-domain controller environment. If you have recently modified this user's group membership, the changes may not have been fully replicated to all domain controllers. Gpresult /r may be queried for user information from a domain controller that has received updated information.

    Token cache: Windows uses a mechanism called "tokens" to store a user's security context, including the groups to which they belong. When a user logs in, the system generates an access token that contains the group membership that is valid at that time. Even if group membership later changes, this token is not updated during the user's current login session unless the user logs out and logs back in. This means that if you modify a user's group membership after he or she has logged in, gpresult /r may still display the old membership information until the user logs in next time.

    Group nesting: Users may become members of these special groups indirectly through group nesting. Check the members of these special groups in AD, and whether these groups contain other groups, which may eventually include a group to which the user belongs. Using the "Members of" feature in the AD Users and Computers management tool can help track this nested relationship.

    Dynamic Group Membership Rules: If these groups are dynamically distributed groups (defined using Membership Rules for AD groups), then the user may meet the criteria to be a member of these groups. Check the group's properties to see if there are any property-based rules that automatically add users as members.

    Error or permission issue: It is also possible that due to some misconfiguration or permission issue in AD, you are not seeing all group memberships when viewing user details. Make sure you have sufficient permissions to view all relevant group membership information.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments