S
S
szavorotkov2019-01-25 13:10:54
Active Directory
szavorotkov, 2019-01-25 13:10:54

The computer is a member of the following security groups - Not applicable. Who had this error?

Good afternoon!
Initial data:
Domain network on Windows Server 2012 R2 with the same domain operation mode. Client computers 99% Windows 10 Pro.
Problem:
A group is created in Active Directory for GPO filtering and computers are added there (the group is not yet attached to the GPO and this does not matter).
On the computer, gpupdate / force is done and sent to reboot. After loading, we do gpresult / r / scope computer and we see that there is no group in the "Computer is a member of the following security groups" section. OK. We repeat the procedure gpupdate-reboot-gpresult, the result is the same, there is no group.
The group itself was first in a separate OU, then it was moved to Users.
Solution:
Empirically, it was found out that if a software assignment policy applies to a computer (it does not matter which one, it is checked on different policies), then it does not enter any groups after a reboot, i.e. in the "The computer is a member of the following security groups" section, the group does not appear (even after a week). As soon as for the test computer, the software assignment policy is set to prohibit reading and using, the group immediately appears.
This behavior is valid only for Windows 10, server OSes were added without problems, one of the machines on Windows 7 also accepted the group without problems.
We also conducted an experiment on a fresh test domain, where this behavior was not confirmed on Windows 10. The server was 2016.
Question:
Who has a similar domain configuration (domain controller = 2012R2, computers = Windows 10), can you check? Has anyone encountered such a bug?
The reason is clear, but the solution is not quite. Either we have a curved domain, or an error in 2012 / 10 and it's time to move.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
C
CHolfield, 2019-03-12
@CHolfield

Some kind of debilizm I see in this problem, I, my June Padawan. You're confusing cause and effect, I think.
Group Policy is applied on client computers, not computers form it, oh June Padawan. Edit this policy setting on the domain controller, and the client computer will enter this security group upon reboot or forced update. Once again for the stubborn: you do not need to enter the computer into the group manually through the "computers and users" snap-in if you want to regulate membership through the GPO.
Do you understand, padawan, or will you continue to be stupid?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question