Hi,
I had an issue with group membership being stuck, I had some AD users in an external group which I had then added to the Admin group but when I removed this external group the users retained their Admin group even after deleting the SSSD cache completely on the server/client and restarting SSD, IPA etc and even after leaving it for a few weeks while I vacationed.
I took a look in LDAP and could not see any membership of the group except for the Admin user.
On a whim I removed the ipaNTSecurityIdentifier and the ipaNTGroupAttrs attribute from the Admin group and then re-added it exactly as it was and found that the problem was solved however I'm struggling to understand how that could be?
I would like to understand how that would fix anything? It seems like it would be completely unrelated.