AD Group members - some get immediate group rights some it takes forever?

All questions pertaining to Windows Active Directory Service can go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form: ... p?lang=enu

2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
I'm New!
I'm New!
Posts: 1
Joined: Tue Jun 05, 2018 10:38 pm

AD Group members - some get immediate group rights some it takes forever?

Unread post by mwalsh » Sat Jun 23, 2018 1:21 pm

I'm not getting the interaction between my Synology DS218+ and my AD Domain and I'm wondering if any of you have seen this too and have any advice to offer.

I have an AD group we'll call Specialusers. Specialusers is a Universal Security group with about 30 users. This group is the only AD group in my domain where members have access to the shares on my DS. No users have any locally granted access on the DS except the Domain Admin. Connectivity between it and my AD seems solid.

Sometimes I'll add a user to the Specialusers group, then manually update the domain data on the DS, and that user will get their group permissions on the shares immediately. Sometimes I'll add a user to the group and it randomly takes a few hours. Sometimes I'll add a user to the group and it literally takes days for the user to get group permissions, and I can't figure out why it works immediately for some and not for others, or how to force the issue for those where it's taking a while.

I have a user right now, it's been 16 hours since I added them to the Specialusers group. One user it was several days and he still didn't have access, so I decided to give him local rights instead only to find he'd finally received his AD group rights when I looked again shortly thereafter, so I was able to turn off the local rights I had just given him.

Any ideas? Any workarounds?

Edit: Looks like it works the same the other way around too - we let somebody go on Tuesday afternoon and I immediately revoked all his group rights and disabled his AD account. He still had rights to the DS shares 3.5 days later and I just deleted his AD account entirely just to get him off the DS.

Post Reply

Return to “Windows AD Domain”