Link to home
Start Free TrialLog in
Avatar of BKRsupport
BKRsupport

asked on

Active Directory Group Membership Sync

With Active Directory running Windows Server 2003 functionality how can you force an update to a logged on user.  For example if I want to remove a user from a security group that has access to a folder, if that user is logged on they will continue to have access to that folder until they logoff and log back on.  The same situation occurs when I add a user to a security group, I would like to force an resync to allow this user to update their membership without needing to logoff and back on to refresh credentials.  All workstations users would be using are XP either SP2 or SP3
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image
Once you remove the user the user should not be able to access to the folder because the user ticket will not match the file's permissions.
Avatar of BKRsupport
BKRsupport

ASKER

On testing this with logged on user this isn't the case.  Or at least it is very slow on replication as I removed a test user from a group with folder access over 45 minutes ago and the user still has access to the folder.  However when I loggged off and right back the users access to this folder was denied.
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image
Make sure you are removing share and NTFS permissions.
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image
You are totally right Mike I was talking about a User not the Group. Thanks for jumping in I didn't even catch that it was a group membership.
Avatar of BKRsupport
BKRsupport

ASKER

So now if I remove a user from a group and want to enforce that users denied access right away I need to have them log off?  Isn't there a gracefully way of handling this ie forcing gpupdate or I have read something about klist tool might work.  Otherwise the user has 10 hours of access to a folder they shouldn't which is a security issue.
SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of BKRsupport
BKRsupport

ASKER

Thanks for the great info.. The cheap hack will have to be the way to handle this until there is a proper Microsoft way to force this.