When running the adquery group command, it is expected to see only accounts that are zoned to the server where the adquery group command was executed. However, it is possible that users deleted from the group may appear.Example below:
$ adquery group testadm
$ adquery user thomas
thomas is not a zone user
It is seen from above that user thomas appeared in the adquery group result, but a check on that user ID itself reveals that the user is not zoned.Cause:
Adding a user to an Active Directory group, then removing user from the group will update the uSNChanged attribute of the group.
But if an existing member user account is deleted from Active Directory, the containing group usnChanged will remain UNCHANGED.Solution:
Run the following command to refresh the AD group object on the Centrify server:
# adobjectrefresh -g testadm
Additionally, the following parameter can be modified in the /etc/centrifydc/centrifydc.conf file so that the group will automatically refreshed, whether there is a change or not:
The above setting will cause the cache to be automatically refreshed every 8 hours.