Inconsistent Membership of a Security Group

Reading Time: 2 minutes

I ran across an issue the other day that had me scratching my head and calling PSS to try and track down the problem.

For some reason we had members of a security group that were inconsistently being denied access to RDP to our SQL servers.  There is a special group the SQL DB's belonged to which elevated them to Local Administrators on the box and this would also provide them the ability to RDP to the box.  We created a new security group and granted the exact same memberhsip and permissions to a test box and we couldn't get the permissions to fail, yet we continued to have the intermittent issues with our original group.

Running WireShark on the SQL box we could see where the proper connections were being sent and received, since originally we expected some type of Kerberos issue that we didn't see but we soon ruled that out.  Finally the Microsoft tech asked us to run a command within NTDSUtil I had never even known about before "Group Membership Evaluation".

Evaluate Group Membership will dump the contents of what groups for the user token to a text file and you can then look to see what the DC sees.  In this case we ran the command against each DC within the domain and sent the data off to Microsoft.  In the mean time I looked at each text file and found three DC's with a rather odd Group-Owner attribute on three different DC's.  The owner was a SID that couldn't be translated to a friendly name and looking closer I could see that the SID wasn't defined correctly, it had a corrupted value.  With this corruption also caused the evaluation of the group to quit showing the members within the group <DING, DING, DING>.  It couldn't evaluate who belonged to the group since the owner SID was corrupted.

I figured I would try and change the owner to a new administrative group and whah lah the group immediately exposed all the correct members within NTDSUtil.  I had the SQL DB's attempt to logon and it was still failing for them so I figured I would and reboot the box to correct any possible caching issue and upon this the problem went away.

When logged on the DC, open a CMD prompt
Type: group membership evaluation
Type: run "Domain FQDN" "User Name"

Output is a "Tab Seperated Value" (.tsv) file, so open in Excel and it will show you all the tokens associated with the security principal in nice order.

NTDSUtil and Group Membership Evaluation