Why does a user still maintain permissions even after removed from AD group?
Environment: Cisco Web Security Appliance (WSA), all versions of AsyncOS
Windows users log in to a domain member workstation and in the authentication process their "keychain" of permissions is fetched from the domain controller they authenticate against. This process is only performed at login time. Therefore, any AD group membership changes made while a user is still logged in won't affect that user until they log out and log back in again, because NTLM credentials are cached for each session.