Share via

Whoami /groups not working in domain

BA-Augsburg 0 Reputation points
2025-03-26T14:12:47.86+00:00

Hello, we are testing Windows 11 with new hardening options, based on bsi und cis benchmark recommendations. With these policies activated, whoami /groups runs into timeout and isnt able to list our domain groups with group names. It shows unknown sid type. With administrator rights or without network connection its working fine. Any suggestions? I can post a summary of the hardening options, if needed.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-03-27T06:18:12.4166667+00:00

    Hello BA-Augsburg,

    Thank you for posting in Q&A forum.
    Based on the description, it seems the new hardening options blocked SID‐to–name resolution.

    When you run as administrator or with no network, the lookups either use cached tokens or don’t try contacting the DC at all. Here are a few ideas to troubleshoot and possibly mitigate the issue:

    1. Please try to remove the hardening policies you applied, then check if it is cause by hardening policies.
    2. Verify which hardening policies are active.

    Try isolating which setting is causing the problem. For example, revert one policy at a time (or test in a lab environment) to see which policy caused it.

    1. Check your network and DC logs. Look in the Windows Event Logs (both on the client and domain controller side) for any authentication or access-denied messages.
    2. Consider alternative name resolution options. For instance, if you must have these hardening policies in place for production, you might work around it by using administrative tools (which appear to work correctly) or by using “gpresult” or PowerShell commands (like Get-ADPrincipalGroupMembership) that can be more explicit about credentials and security negotiation.

    For example:

    1.Open CMD and run command: gpresult /r

    Note: Check the user group membership under "User Settings"User's image

    2.Open CMD and run command: gpresult /h C:\group.html

    Note: Check the user group membership under "User Details"User's image

    https://theitbros.com/check-active-directory-group-membership/

    1. Evaluate whether the extra hardening (as recommended by CIS/BSI) is appropriate for your environment. Sometimes the recommended settings work best in very high-security or isolated environments; if SID lookups become too slow or fail because of them, you might need to relax or fine-tune some policies so that non‐elevated processes can still resolve domain SIDs.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. BA-Augsburg 0 Reputation points
    2025-03-28T05:58:28.9666667+00:00

    Hi Daisy,

    it's not that easy and is getting more and more complicated.

    it's only happening with Windows 11 Build 24h2. With 23h2 everything is working fine. We had these settings for a long time now and they did just work fine.

    it's also not happening, if Windows 11 Build 24h2 is installed as virtual machine under hyper-v. This problem is only with native installation on a client device.

    i added the export of this hardening policy. maybe someone had similiar problems with one of these settings or someone from microsoft is reading this.

    Policy_geschwärzt.pdf

    best regards

    markus

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.