I've found a user account cited as a member in groups "Domain Users" and "Denied RODC Password Replication".
The user account is marked "disabled".
However, there is NO Domain User by that name. It's a member of no other groups.
I forgot to check on Local Users but that would seem to be impossible in any event.
What does all this mean? When I try to remove the account from the "Domain Users" members list, I get the message:
"This is the member's primary group so the member cannot be removed. Go to the Member Of tab of the Member's
Property sheet and set another group as primary. You can then remove the member from this group".
The rub is that since there's no user by that name in Domain Users, I can't examine its property sheet.
What should be done about this? I'm stumped...