0XC0000068

STATUS_MEMBER_NOT_IN_GROUP (0xC0000068) Fix

Windows Errors Intermediate 👁 0 views 📅 May 27, 2026

This error means Windows can't verify a user belongs to a required group. Happens after domain changes, group policy updates, or ad-hoc permission tweaks.

Quick answer: Run gpupdate /force and reboot. If that fails, remove the user from the group, re-add them, then log off and back on.

What’s happening here?

This error pops up when Windows, the domain controller, or an app checks group membership and finds the user isn’t in the group it expects. The culprit is almost always a stale security token. When a user is added to or removed from a group, their token doesn’t update until they log off and back on. The error code 0xC0000068 is the NT status equivalent of “nope, not in that group.”

Common scenarios that trigger it:

  • You added a user to an AD security group but didn’t log them out.
  • A Group Policy change modified group membership but the token didn’t refresh.
  • Someone manually removed a user from a group on one DC, but the change hasn’t replicated to the DC the user authenticated against.
  • A third-party app queries membership using an outdated cached credential.

Fix steps

  1. Refresh the user’s token without logging off — Only works on Windows 10/11 and Server 2016+. Run this as the affected user in an elevated PowerShell session:
    klist purge -li 0x3e7
    This clears cached Kerberos tickets. Then run gpupdate /force. Don’t bother with runas /user:DOMAIN\user cmd — that rarely helps here.
  2. Full logoff/logon — The old reliable. Log the user off completely, wait 10 seconds, log them back on. This forces Windows to generate a fresh token from the domain controller. It’s the single most effective fix.
  3. Verify group membership on the DC — Open Active Directory Users and Computers, find the user, check the “Member Of” tab. Look for the group that should include them. If it’s missing, add them back. Wait for replication: repadmin /syncall on the PDC emulator.
  4. Flush the group membership cache — On the DC, restart the Netlogon service:
    net stop netlogon && net start netlogon
    On workstations, flush DNS cache and clear ARP:
    ipconfig /flushdns && arp -d *
  5. Check for nested group issues — Some apps don’t handle nested group membership well. If the user is in Group A, and Group A is a member of Group B, the app might only check direct membership. Add the user directly to Group B as a workaround.

Alternative fixes when the main steps fail

If you’ve done all that and it still breaks, try these:

  • Reset the computer account — On the domain-joined machine, run Reset-ComputerMachinePassword in PowerShell as admin. Reboot.
  • Leave and rejoin the domain — Painful but effective. Disconnect the machine from the domain, reboot, rejoin. This forces a full trust rebuild with the DC.
  • Check the Application event log — Filter by source “Microsoft-Windows-GroupPolicy” or “Kerberos”. Look for errors like “0xC0000068” or “The kerberos client received a credential that is expired.” That points to a time sync issue — run w32tm /resync.

Prevention tip

Train your junior admins to always log off and back on after adding a user to a security group. No exceptions. If they balk, remind them it takes 30 seconds and beats a 45-minute troubleshooting session. For critical groups (e.g., Remote Desktop Users), set a reminder in your change management system: “Add user → log off → test.”

Was this solution helpful?

STATUS_MEMBER_NOT_IN_GROUP 0xC0000068 user not in group domain account error active directory group membership Windows access denied group policy error user group fix domain user permission account membership issue