I have a Windows network based on an ageing Windows Server 2003 infrastructure, with two DCs, configured with replication between each other.
While trying to find out why a certain GPO wasn't being applied, I discovered that the computer group membership isn't being set correctly on the actual computer. Running as administrator: gpresult /v only lists the default groups, and not the other groups the computer is a member of. These groups are shown if I go to "Member of" for the computer account in the domain. The groups are global security groups (and not distribution).
If I apply the GPO setting to the Default Domain Policy, it's applied on the computer as well - so it's able to get its GPO settings and apply them.
Any user group membership is available, even if the user has just been added to the group.
I've tried klist purge, both with and without specificity (-lh, etc), removing the computer from the domain (from the computer itself) and rejoining it to the domain. No change (if anything I lost the membership of the group "domain computers").
I've verified that replication between the DCs work with dcdiag and dcdiag /c, and the gpresult /v call shows the main DC (which is also IM) as the source (I've seen both - no change).
I'm completely lost about how to debug this any further; whoami /groups doesn't show anything except for the builtin groups. There are no warnings or errors in the event log for either DC server.
