Help! - Security Group Scope Nightmare

Question

EDIT/UPDATE: Here is a summary of the two things which we saw in our environment which should not happen:

1. Computers no longer saw themselves as a member of several security groups. Group scopes were changed from Domain Local to Universal to Global (but membership wasn't changed)
2. Computers refreshed their group membership without rebooting. (klist purge can do this but wasn't used in this instance)

This caused a LOT of GPO chaos and software uninstalls. What could cause this behavior?

===========================================

I have the following security group topology:

Initially all three groups were Domain Local scope. Starting with the two child groups, I changed group scopes to Universal scope (applied) and then immediately to Global scope (applied). Why this was done is outside the scope of this question.

I have a GPO (Software Installation) that triggers install if the computer is a member of the Parent Group (applied via security filtering which only contains the Parent Group). I check the the "Uninstall this application when it falls out of the scope of management" option in the GPSI deployment properties.

After changing group scopes as noted above, computers in the 2x child groups "lost" membership in the Parent Group, causing the software to be unintentionally uninstalled via GPSI on the next reboot. The software was reinstalled on the reboot after that.

So it's as if the computers no longer saw themselves being a member of the Parent Group anymore. Group membership never changed, only the group scope. I know changing the group scope doesn't affect the members of that group, the GUID/SID of the group, etc, so I don't know why or how a computer would lose its membership. I know also that a computer needs a reboot to have its group membership changed.

Is this expected behavior, and if so, why? Where is there documentation on this?

Environment
I have 2x DCs (WS 2019) that had KB4570333 applied earlier that day (and they rebooted). We're a single domain small shop. All computers are Windows 10 (and they may have had KB571756 applied that day as well). I don't think it is a Windows bug but wanted to mention the other changes I know happened as well.

Answer 1

Hi,
As you mentioned above, i did a test in my lab(not with the updates).
Everything works well ,no uninstall and reinstall behavior happened.So i don't think it is expected.
The possible reason may be replication delay or something.
Based on my understanding, the software was reinstalled on the reboot after that and working well now,right?
If the problem can be reproduced ,we may try to run the gpresult /v to check the membership and then enable the GPSVC log for more details on the computer before and after restart operation .
Fan

Answer 2

I'm going to do extensive testing today and reviewing in depth some event logs to try and see exactly what happened. Yes, the software did reinstall correctly.

I made the group scope changes around 12PM. I noticed that some computers pulled the updated "membership" on next auto-gpupdate, whereas others it took them a few gpupdates before they lost their group membership. I've thought about replication delay or issues as well (dcdiag is clean on both DCs). I'll post more findings today.

Answer 3

@Fan Fan Today I have been unable to reproduce the behavior. In addition to having GP Software Installation, I also have a number of scheduled tasks which install/uninstall a program via script as follows (both linked to the same OUs):

Install Program GPO
Security filtering: Parent Group
Scheduled task: Replace (remove when no longer applied checked), no item level targeting

Uninstall Program GPO
Security filtering: Authenticated Users
Scheduled task: Replace (remove when no longer applied checked), item level targeting "when computer is NOT a member of Parent Group"

Effectively, this installs Program when a computer is placed in the Parent Group but removes it for any computer who is not in the group. The computer should need to reboot for the scheduled tasks to switch from install to uninstall.

VERY WEIRD BEHAVIOR
I changed the group scopes around 1PM. I also moved the Child Groups into a Sub-OU either before or after the scope change. One computer which was NOT rebooted after scope changes showed strange behavior. During an automatic GP update shortly after the scope change I can see that the Install scheduled task gets deleted (and not immediately recreated like normal) AND the Uninstall schedule task gets created. This would be expected behavior if and only if the computer was no longer in the "Parent Group".

After the weekend I disabled the Uninstall GPO and can see the Uninstall scheduled tasks removed from the computer. Still no Install scheduled tasks. The following day, after the computer finally rebooted, the install scheduled tasks are finally created again. So it's as if the computer was able to lose the group membership without a reboot, somehow, but required a reboot to regain the correct group membership.

How is this possible if the computer didn't reboot and group membership didn't change?

I'm happy to provide any additional diagnostic info from event logs if helpful. I'm about at the extent of by AD knowledge.

Thank you!

Answer 4

I was able to narrow down the scope of the issue by removing some variables. This simplifies the issue some and might be easier to solve. I have started another forum post here: https://learn.microsoft.com/en-us/answers/questions/120736/gpos-not-applied-ad-group-issue.html