We have a 2016.3 deployment on a dark core network. I have been deploying some software packages using Active Directory groups, and it's been successful so far. I'm setting up another software package to do the same thing. The query that polls the security group, and also looks to see if that software has already been installed, found only one system that is in the group, but doesn't have the software. When I checked, I realized that that system shouldn't be in that security group. So I removed it from that AD security group. I then had it run scans for hardware, hardware and software, and full sync. It still didn't update the fact that it's no longer a member of that security group. So I left it for a couple of days, hoping that some other process would update the status. But the query is still showing that system is in that AD security group.
How do I troubleshoot this? I tried to figure out what process is polling LDAP for new status, but couldn't figure it out. It doesn't appear we have the LDAP Enumeration registry key set, but the inventory for each system includes LDAP Groups/Machine, and it appears to be accurate most of the time. I'm not seeing any errors (that I know of) with the scans on this system, but it still has the outdated LDAP Group membership. Where do I start in troubleshooting this?