R
Rickard Warfvinge
Guest
Hello,
We have a problem with our Windows 10 clients in our domain. We have 3 AD-groups that are in the local admin group on all Windows 10 clients. If i remove a user from that group in AD that user is still local admin because the client dont ask AD instead it checked cached credentials. If i run "gpupdate /force /scope:user" my client still thinks i am a member of that AD group even tough i no longer are a member of it since i removed myself from it in AD. The effect this resulting in is that removing users from AD groups dont populate to clients. If we apply this reg change: Did you know, by default “run as admin” doesn’t check the AD? it works perfectly and in real time when connected to the domain. Is there a particular reason that Microsoft have chosen to have cached credentials as the first choice before checking with AD? Or is there something i am missing here? There is very little ro read about this on the net. There is a hotfix for Windows 7 and Server 2008 and some information here: https://support.microsoft.com/en-us...ways-used-when-you-run-an-elevated-task-in-wi but not much info how this works on Windows 10. Anyone know what could be the issue to this? We want our AD group membership to reflect to the clients as it do with the reg change. Thanks
/Rickard
More...
We have a problem with our Windows 10 clients in our domain. We have 3 AD-groups that are in the local admin group on all Windows 10 clients. If i remove a user from that group in AD that user is still local admin because the client dont ask AD instead it checked cached credentials. If i run "gpupdate /force /scope:user" my client still thinks i am a member of that AD group even tough i no longer are a member of it since i removed myself from it in AD. The effect this resulting in is that removing users from AD groups dont populate to clients. If we apply this reg change: Did you know, by default “run as admin” doesn’t check the AD? it works perfectly and in real time when connected to the domain. Is there a particular reason that Microsoft have chosen to have cached credentials as the first choice before checking with AD? Or is there something i am missing here? There is very little ro read about this on the net. There is a hotfix for Windows 7 and Server 2008 and some information here: https://support.microsoft.com/en-us...ways-used-when-you-run-an-elevated-task-in-wi but not much info how this works on Windows 10. Anyone know what could be the issue to this? We want our AD group membership to reflect to the clients as it do with the reg change. Thanks
/Rickard
More...