NTDSUTIL - Group Membership Evaluation

I just had an issue at a customer where we were troubleshooting an issue where users could not use the SQL Management studio to connect to a SQL server remotely. Local login to SQL server interactively and then launching the client tools worked. The cause was the number of groups the user belonged to.

To troubleshoot this, we busted out ntdsutil and tried to enumerate the group membership. But to our surprise it only showed 3 groups. Then after changing servers we got 600 plus groups and then again 3 groups. So basically the resultant number of groups were changing all the time.

It turns out this is a bug in ntdsutil for which a hotfix is now available. If you are using the group membership evaluation feature in ntdsutil, try this version. https://support.microsoft.com/kb/934185

HTH

M