I'm running into an odd situation: domain group membership as reported by Group Policy differs from that of Active Directory.
DOMAIN\user.name was already a member of DOMAIN\some_group_1. I added it to the AD group DOMAIN\some_group_2. The command gpresult /v now reports that DOMAIN\user.name is NOT a member of DOMAIN\some_group_2, while the Active Directory Users and Computers snap-in clearly shows that it is.
Both groups have Global scope and were created using the WSE 2016 Dashboard.
This situation is preventing Group Policy Preferences from creating a registry entry for this user, an entry that's targeted for all users in DOMAIN\some_group_2.
Why isn't Group Policy picking up the new membership?
As an aside, Get-ADPrincipalGroupMembership user.name run at the DC reports that the user is a member of Domain Users only.
--EDIT--
I should clarify that I'm connecting to the domain using two computers via two methods: 1) LAN; 2) Remote VPN. The symptoms are identical on both connections.
I found the problem.
I'd connected to the VPN under the domain admin account so that I'd be able to create the new profile for the standard user account. But I hadn't yet added the user account to the VPN security group in AD, so the new profile was corrupted as of its creation.
I removed and recreated the profile, and all was well. It works correctly now, and all security groups are displaying as they should.