Weird AD problem with WGM:
If I add a user "example user" to a group called "example group" using the Microsoft Admin tool "AD Users and Computers" the changes are not quickly recognized by my OS X servers )WGM never sees the changes). The OS X Servers think the "example group" doesn't have the newly added "example user" in it. Anyone have ideas on why that is? Even if I wait 24 hours, the OS X Servers still have no clue that the AD Group has been modified. Even if I authenticate to the Domain in WGM and "prove" I am a Domain Admin, the changed group info never replicates. Rebooting the OS X Servers doesn't help.
I found the only solution is to (gulp) add the user to the group from OS X Servers WGM. Dragging the user in to the group in WGM seems to work fast. Is it OK to modify groups from WGM? For some reason I am really surprised this works. I didn't realize that WGM could actually WRITE changes in AD. Is this dangerous?
Is there a difference between using the WGM locally on the actual OS X Server as opposed to running WGM from another OS X box on my LAN? Any reason running WGM from a remote Mac that would not reflect the current AD settings?
Can I "force" a refresh of the AD info from my OS X servers in WGM, or perhaps from the Terminal?
IT Info:
Windows AD Controller is Windows 2003. Out-of-the-box Schema, No fancy custom stuff.
Mac OS X servers are running OS X 10.3.4 Server. AD is required for Mac clients on the LAN to access the AFP and SMB shares on the OS X Servers.
Clients are all Mac OS X 10.3.4 using the Apple AD plug-in.
Mac Servers and clients are all bound to AD properly. No problems in the past authenticating to the Domain.