One of the challenges of using security groups for computer account administration is that, like users, computer accounts determine their group membership at logon, which for a computer happens at boot time.
What if you need to update a computer’s group membership when the computer is away from the network?
The GPO was limited to a security group, and even though the remote workstation was in that group, the system itself didn’t know that because it was working on cached information. I needed to force Windows to reevaluate its group membership while connected to the VPN.
This can be accomplished by purging the Kerberos ticket cache.
Open an elevated command prompt and run: klist -lh 0 -li 0x3e7 purge
Then run: gpupdate /force
The computer will then re-evaluate its group membership and apply the appropriate GPOs, including the much needed DirectAccess GPO.
Shane Skriletz, PEI