long time...

[Fredrik]

I have a fileserver belonging to AD 2003. The OS is W3K server. On the
server I have shares with catalogs. Something is little strange...
\\server\share1 - Group1 have full control on the share, and read permssions
on all catalogs down under. Group1 is a global security group in our AD
containing some user accounts.
If I take a new user in AD and make that member in group1 it could take a
very long time (several hours) until the user have permissions to share1...?
I think this is strange. The group is created before, same with the account.
The only difference is putting the user in the group. Shouldn't this work
direct after when the user logs in?
In the AD we have the domain controllers in two different sites. But after
updated the group with the new user I have looked on all three DC (connect
domain controller in AD users&computers) and the group is updated correct.
Still the user don't get the group permission on the fileserver.
I would be very happy if you have ideas about this!!

 

[Guest]

It sounds like an AD replication problem. I can imagine you might see this if the DC you are binding to when you make the group membership change is in a different AD site than the DC that the user in question authenticates against

Try this -

1. Find out what DC the user is authenticating against by having them run SET L at a command prompt, which will return LOGONSERVER=<authenticating DC
2. In AD Users and Computers, right-click the top level and say "Connect to Domain Controller" and connected to the DC the user authenticates with.
3. Make the group membership change
4. Have the user logoff/on, run SET L again to verify the DC is the same, then have them try to access the share
5. If it works without having to wait - then all the other times you've been making the group membership change on a DC that isn't replicating very quickly (likely because they are in different sites) with the user's authenticating DC.