OWSM log policy in OSB11g

Similar Messages

• OWSM - Logging in Custom Policy Step

  I'm trying to implement a custom policy step for Oracle Web Service Management.
  For debugging purposes, I need to write a diagnostic log file (like gateway.log, policymanager.log, ccore.log...) with the behavior of my step. I have to use log4j library...
  Could you help me with OWSM log configuration?
  Thanks!

  I have been reading more about this issue but I have doubts yet...
  Now, I know that I must use the package "com.cfluent.ccore.util.logging" in my code. For example:
  ILogger logger = LogManager.getLogger(...);
  logger.log(Level.INFO, "..");
  In which owsm log file does this information appear?
  Thanks!

• How to pass Username from OWSM Security policy in Oracle Apps Adapter .jca file

  My BPEL process uses Oracle Applications Adapter. The following is the .jca file for the Adapter.  The Username is initialized statically to "sysadmin" when I created the Adapter.Is it possible to pass in the username from the OWSM Security policy for the username value below? If so how to do? I appreciate your response.
  <adapter-config name="EBSAdapter" adapter="Apps" wsdlLocation="../WSDLs/EBSAdapter.wsdl" xmlns="http://platform.integration.oracle/blocks/adapter/fw/metadata">
    <connection-factory UIConnectionName="EBS1" location="eis/Apps/EBS1" UIConcurrentPgmName="" UIOracleAppType="DBOBJECT"/>
    <endpoint-interaction portType="EBSAdapter_ptt" operation="EBSAdapter">
      <interaction-spec className="oracle.tip.adapter.apps.AppsStoredProcedureInteractionSpec">
        <property name="SchemaName" value="APPS"/>
        <property name="PackageName" value="INTG"/>
        <property name="ProcedureName" value="GET_USER_PROFILE1"/>
        <property name="IRepInternalName" value="PLSQL:INTG:WEBCENTER_GET_USER_PROFILE1"/>
        <property name="Username" value="sysadmin"/>
        <property name="Responsibility" value="System Administrator"/>
      </interaction-spec>
    </endpoint-interaction>
  </adapter-config>

  1. Go to Invoke activity
  2. Click on Properties tab.
  3. click Add
  4. Add this property "jca.apps.Username" and map it with either variable or expression.
  5. Populate variable defined at previous step with some valid username value at runtime.
  hope this helps.
  Regards,
  Karan
  Oracle Fusion Middleware Blog

• Custom OWSM Authorization Policy Not Visible in OSB 11g

  I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
  * the underlying SOA service functions in the /em console test page
  * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
  * the oracle/log_policy can be added to the OSB business service and generates log entries
  * the outer proxy service can be successfully invoked from a remote client with no security policies,
  with HTTP transport security and authorization policies and with OWSM authentication policies
  attached (given the correct request payloads)
  These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
  Here are the steps that were performed:
  1) created group myfirmIdentityData in WebLogic console (/console)
  2) created userid myappuser in WebLogic console
  3) added myappuser to the myfirmIdentityData group in WebLogic console
  4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
  using the Fusion console (/em on the SOA domain)
  5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
  list of permitted roles (***)
  *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
  6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
  the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
  NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
  7) accessed the Service Bus console (/sbconsole), started a change session, selected the
  proxy service, then clicked on the Policies tab, then clicked the Add button in the
  Service Level Policies section
  At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
  I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
  Any insight?
  Thanks.

  Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
  In a nutshell, policies in OWSM can be created to be applied against:
  * Components --- only usable against SOA services
  * Service Endpoints --- against URLs used as access points into services
  * Service Clients -- against consumers of services as identified by credentials
  * All -- all of the above
  However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
  To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
  A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

• OWSM Gateway Policy - Clock Skew

  Hi,
  We have a difference between our system clock and an incoming SOAP message header timestamp.
  <wsu:Created> is well in advance of our system clock. Is there any way we can apply clock-skew setting to OWSM to stop the failure? Can't find anything in documentation.
  Any help would be appreciated.
  Thanks

  Hi,
  Anybody got any ideas on this please? We have logged a call with Oracle Support, but were hoping someone on the forum may have encountered this? Obvious answer would be to synch clocks, but that is not possible unfortunately!
  Thanks

• OWSM customize policy step sign message

  Hi,
  is it possible to customize the OWSM policy step "sign message" ?
  - to set the attribute mustUnderstand of the element wsse:Security to 0 (default is 1)
  - to add the timestamp wsu:Expires to the security header (in addition to the wsu:Created timestamp)
  Bye,
  Markus

  Hi Vikas,
  Thanks for the reply.
  I suspect that the "fiddling with the Outgoing Transport Protocol that is between OWSM Gateway and actual service" as mentioned in my original post is probably the same as "creating a custom transport messenger between gateway and service" as mentioned by you.
  Any pointers to get me going, e.g. what interfaces te implement, classes to extend, how to register and manage with OWSM?
  Thanks and best regards,
  Sjoerd

• OWSM Custom Policy Step: use of the setProcessingStage() method?

  Hello,
  When creating a Custom Policy Step for use in an OWSM pipeline the API provides the option to set the processing stage. Possible values are STAGE_PREREQUEST, STAGE_REQUEST, STAGE_RESPONSE and so on.
  Can anyone tell me the use of setting the processing stage. Would it allow me to literally take the message request to a different stagewhat, e.g. what should happen when in the Request Stage I set it to STAGE_RESPONSE?
  I have tried this and cannot see any effect.
  Thanks, Sjoerd

  Hi Vikas,
  Thanks for the reply.
  I suspect that the "fiddling with the Outgoing Transport Protocol that is between OWSM Gateway and actual service" as mentioned in my original post is probably the same as "creating a custom transport messenger between gateway and service" as mentioned by you.
  Any pointers to get me going, e.g. what interfaces te implement, classes to extend, how to register and manage with OWSM?
  Thanks and best regards,
  Sjoerd

• This log -------------policy agent 2.1 for iis5.0

  Sun Java System Identity Server Policy Agent 2.1 for Microsoft IIS 5.0
  Sun\Identity_Server\Agents\2.1\debug\C__Inetpub_wwwroot\amAgent
  2004-07-25 18:06:22.156 Warning 1064:00D01120 PolicyAgent: OnPreprocHeaders(): Identity Server Cookie not found.
  2004-07-25 18:06:22.156 Error 1064:00D01120 PolicyAgent: do_redirect() ServerSupportFunction did not succeed: Attempted status = 302 Found
  2004-07-25 18:06:22.156 Warning 1064:00D01120 PolicyAgent: OnPreprocHeaders(): No cookies found.
  2004-07-25 18:06:22.156 Error 1064:00D01120 PolicyAgent: do_redirect() ServerSupportFunction did not succeed: Attempted status = 302 Found
  2004-07-25 18:07:53.921 Error 1064:00D01120 PolicyEngine: am_policy_evaluate: InternalException in Service::getPolicyResult with error message:Policy not found for resource: http://guorui.mygodsun.com:49153/index.asp and code:7
  2004-07-25 18:07:53.921 Warning 1064:00D01120 PolicyAgent: am_web_is_access_allowed(http://guorui.mygodsun.com:49153/index.asp, GET) denying access: status = no policy found (7)
  2004-07-25 18:07:53.937 128 1064:00D01120 RemoteLog: User amAdmin was denied access to http://guorui.mygodsun.com:49153/index.asp.
  2004-07-25 18:07:54.062 Error 1064:00D01120 PolicyAgent: do_redirect(): Error while calling am_web_get_redirect_url(): status = success
  2004-07-25 18:07:54.078 Error 1064:00D01120 PolicyAgent: do_redirect() WriteClient did not succeed: Attempted message = HTTP/1.1 403 Forbidden
  Content-Length: 13
  Content-Type: text/plain
  403 Forbidden
  from that log,help me
  my:
  Sun Java System Identity Server 6.1
  Sun Java System Directory Server 5.2
  Sun Java System Identity Server Policy Agent 2.1 for Microsoft IIS 5.0
  help me for that how config?
  what error ?
  thanks!

  Sorr for so many people faced the sam or similar issues. I just joined this support a short while. If you think any old problem which is still critical to you, please repost. We shall try our best to give you assistance. Jerry
  Here are some of tips for debugging Web agent.
  From the AMAgent.properties, are both IIS and AM are in the same domain? If they are not, then you need to use CDSSO. Also please check in AM, under "Service Configuration-> Platform -> Cookie Domains" , whether cookie is set for the entire domain which includes AM and IIS ("test.com") or just the AM machine name.
  Also check whether correct value for "Agent-Identity Server Shared Secret" is entered. This should be your internal ldap password (amldapuser). In the AMAgent.properties for the below property the password will be encrypted and assigned: "com.sun.am.policy.am.password".
  Could you also check if the Identity servver and the IIS web server are time synchronized. The problem may be that agent requests policy decisions and the response from server may be timed out due to non-syncrhonized clock.
  Don't forget to restart the whole IIS service using internet
  management console after making agent changes.
  Some of the common error codes:
  20: Application authentication failed. This occurs when Agent cannot sucessfully authenticate with Identity Server. This is mainly due to incorrect password for agent entered during agent installation. Please refer to another faq describing how to change password.
  7: Policy not found. This error occurs typically if there are no policies defined on Identity server for the given web server URL. Otherwise, there may be time skew between Identity Server and Agent. So, polices fetched from Identity Server is instantly flushed by Agent and attempted to refetch over and over again. This can be solved by running rdate or similar command to synchronize time between the two machines. It is recommended to run NNTP server syncrhonize times between your Identity systems.

• Probem attaching OWSM Policy to OSB Proxy Service

  Hi all,
  I am working with OSB 11g R1 and I am trying secure one proxy service by attaching one OWSM predefined policy. However, the "OWSM Policy Binding" is disabled in the Policy section of the proxy service.
  I found this thread in the forum [1] wich seems to have the same problem and I have checked that all the extensions are installed in my domain.
  Sure I missing something but I haven't found anything in the docs.
  Any tip or hint is appreciated
  Thanks in advance
  My enviroment:
  - Weblogic Server (10.3.4.0)
  - Oracle Service Bus (11.1.1.4)
  - Oracle Service Bus OWSM Extension (11.1.1.0)
  [1] OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1
  Edited by: user10102092 on 27-jul-2011 2:42

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?

• OWSM: How to use log step

  Hi,
  I want to make use of the LOG step in the policy to write whatever happened in the request and response pipelines. but inclusion of the log step makes no difference. i want to know whether this is possible or not.
  If anyone has some tutorials for how to use log step pl send me.
  Thanks in advance.
  Regards,
  Abhi...

  Hi!
  If i just make a little example and add the logstep before and after for example a xmlencrypt-policy-step, and log the whole payload..everything works fine overhere.
  If i go to the Operational Management>Overall Statistics>Message Logs and can see every step inwhich it got called (the log policy step)

• Customizing OWSM 11g SAML policy

  Hi,
  The current OWSM SAML policy validates only one token against Identity store.
  Our requirement is to validate against couple of atributes, is there any option available in existing policy or do we need to write custom policy extending the exisitng policy.
  Any pointers on this will be more helpfull.
  Thanks,
  Sowmya

  me too am facing same problem..did you manage to solve this?
  please suggest..

• OWSM: BPEL callback bypasses Gateway and ServerAgent

  Hi,
  I have a BPEL Process A that asynchronously calls BPEL Process B. For securing the processes I use OWSM.
  I have tried both a Gateway as well as a ServerAgent but in both cases the callback message from B back to A bypasses either Gateway or ServerAgent.
  Whereas the requests for invoking both processes A and B do show up in the OWSM logs as expected.
  The entire system works fine, with either Gateway and / or ServerAgent.
  Perhaps some BPEL-internal-magic going on (e.g. for improving performance)?
  What does it take to have the response from process B go through either the Gateway or the ServerAgent and be subject to the policy pipeline specified in there?
  Thanks!
  Regards, Sjoerd

  Hi Denis,
  Thanks for your reply.
  Although I have not solved the problem, I have some more insights to share. Questions remain though ...
  In the SOAP message that follows HelloWorld3 calls HelloWorld2 asynchronously. WS-Addressing at work to correlate the callback to the original instance of the HelloWorld3 process.
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <env:Header>
  <ReplyTo xmlns="http://schemas.xmlsoap.org/ws/2003/03/addressing">
       <Address xmlns="http://schemas.xmlsoap.org/ws/2003/03/addressing">
  http://localhost/orabpel/default/HelloWorld3/1.0/HelloWorld2/HelloWorld2Requester
  </Address>
  <PortType xmlns:ptns="http://xmlns.oracle.com/HelloWorld2" xmlns="http://schemas.xmlsoap.org/ws/2003/03/addressing">
  ptns:HelloWorld2Callback
  </PortType>
  <ServiceName xmlns:snns="http://xmlns.oracle.com/HelloWorld2" xmlns="http://schemas.xmlsoap.org/ws/2003/03/addressing">
  snns:HelloWorld2CallbackService
  </ServiceName>
  </ReplyTo>
  <MessageID ans1:rootId="950001"
  ans1:parentId="950001"
  ans1:priority="0"
  xmlns="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:ans1="http://schemas.oracle.com/bpel">
  bpel://localhost/default/HelloWorld3~1.0/950001-BpInv0-BpSeq0.3-3
  </MessageID>
  </env:Header>
  <env:Body>
  <HelloWorld2ProcessRequest xmlns="http://xmlns.oracle.com/HelloWorld2">
  <input xmlns="http://xmlns.oracle.com/HelloWorld2">
  showmethemoney
  </input>
  </HelloWorld2ProcessRequest>
  </env:Body>
  </env:Envelope>
  Could the WS-Addressing information be used as a 'shortcut' for the callback to the HelloWorld3 process? Any way, the callback is not picked up by the ServerAgent ...
  The processes finish as expected but the message traffic is not properly regulated and, hence, not subject to proper policy enforcement.
  Any ideas?
  Thanks, Sjoerd

• Could not find the policy in WMI for package

  Hi,
  I am trying to deploy a language pack to a windows 8.1 machine and it is not installing. According to the execmgr.log it cannot find the policy in WMI? I have tried running the machine policy update within CFG MGR but no change. Is there something else
  I can check?
  <![LOG[Policy is updated for Program: InstallEN, Package: LIA002A0, Advert: LIA2011A]LOG]!><time="09:47:18.345+300" date="01-28-2015" component="execmgr" context="" type="1" thread="980"
  file="execreqmgr.cpp:7063">
  <![LOG[Raising client SDK event for class CCM_Program, instance CCM_Program.PackageID="LIA002A0",ProgramID="InstallEN", actionType 45l, value NULL, user NULL, session 4294967295l, level 0l, verbosity 30l]LOG]!><time="09:47:18.347+300"
  date="01-28-2015" component="execmgr" context="" type="1" thread="980" file="event.cpp:405">
  <![LOG[Mandatory execution requested for program InstallEN and advertisement LIA2011A]LOG]!><time="09:47:19.220+300" date="01-28-2015" component="execmgr" context="" type="1" thread="3684"
  file="execreqmgr.cpp:3527">
  <![LOG[Creating mandatory request for advert LIA2011A, program InstallEN, package LIA002A0]LOG]!><time="09:47:19.220+300" date="01-28-2015" component="execmgr" context="" type="1" thread="3684"
  file="execreqmgr.cpp:3653">
  <![LOG[Could not find the policy in WMI for package LIA002A0 program InstallEN]LOG]!><time="09:47:19.242+300" date="01-28-2015" component="execmgr" context="" type="2" thread="3684" file="softdistpolicy.cpp:2851">
  <![LOG[CreateMandatoryRequestRecursively failed at FindUserOrSystemPolicy InstallEN]LOG]!><time="09:47:19.243+300" date="01-28-2015" component="execmgr" context="" type="2" thread="3684"
  file="execreqmgr.cpp:3670">

  Did you check this
  post?
  It turned out the root cause of the problem was one of the packages that the TS called.  Even though SCCM had been set to use the selected distribution points and said the package was installed on those DPs, it hadn't actually copied the files over.
   Updating to a new source version and ensuring the files copied correctly resolved the issue.  Hopefully SCCM 2012 will do a better job of communicating a dependency problem, but I haven't had a chance to test it yet.
  You can also check this
  post.
  it appears the majority of these messages occur when you have a system that has an expired advertisement still being applied to it. 
  Nick Pilon | Blog : System Center Dudes

• Invoke a business service base in a WSDL with customer WS-Security Policy

  Customer write a Web service (Refer to the attachment file “HTTPS_PartyServicePortType.WSDL”)which declare a WS-Security Policy and apply this it to WS binding ,How can I generate a business service base in this WSDL and invoke it successfully?
  When create a business service in OSB, we get a error with below messages
  [[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.
  After enhanced the OSB domain with OWSM extension, we found the OOTB OWSM defined cannot support the HttpsToken and OSB cannot support below WS-Policy defined in OWSM, refer to http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/owsm.htm#OSBDV1681
  51.2.8.1 Unsupported Assertion
  •     binding-permission-authorization
  •     http-security
  •     OptimizedMimeSerialization (MTOM)
  •     RMAssertion (Reliable Messaging)
  •     sca-component-authorization
  •     sca-component-permission-authorization
  •     UsingAddressing
  •     wss-saml-token-bearer-over-ssl (Authentication)
  it means that we cannot generate a web service with customer WS-security Policy
  The WS-Security Policy is shown as below:
  <wsp:Policy wsu:Id="WSHttpBinding_IPartyServicePortType_policy">
  <wsp:ExactlyOne>
  <wsp:All>
  <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy>
  <sp:TransportToken>
  <wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="false"/>
  </wsp:Policy>
  </sp:TransportToken>
  <sp:AlgorithmSuite>
  <wsp:Policy><sp:Basic256/></wsp:Policy>
  </sp:AlgorithmSuite>
  <sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout>
  </wsp:Policy>
  </sp:TransportBinding>
  <wsaw:UsingAddressing/>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  BestRegards!
  Simon

  Hi
  According to
  http://e-docs.bea.com/wls/docs90/webserv/annotations.html#1050414
  If you are going to publish the policy file in the Web Service archive, the policy XML file must be located in either the META-INF/policies or WEB-INF/policies directory of the EJB JAR file (for EJB implemented Web Services) or WAR file (for Java class implemented Web Services), respectively.
  Can you make sure the policy file is in there?
  Also there is a sample from the developer at http://dev2dev.bea.com/blog/jlee/archive/2005/09/how_to_use_anno.html
  Vimala-

• Group Policy won't apply, No mapping between account names and security IDs was done.

  I am using Group Policy Preferences to remove users from the local admin group and add a local admin account.  This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO.  I get the following error:
  Log Name:      Application
  Source:        Group Policy Local Users and Groups
  Date:          6/24/2014 8:49:28 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      laptop1.internal.com
  Description:
  The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
  IDs was done.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Local Users and Groups" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
      <EventRecordID>68771</EventRecordID>
      <Channel>Application</Channel>
      <Computer>laptop1.internal.com</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>user</Data>
      <Data>Administrators</Data>
      <Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
      <Data>0x80070534 No mapping between account names and security IDs was done.</Data>
    </EventData>
  </Event>
  I've searched high and low for an answer and nothing I find on-line seems to apply.  I also notice that the option to 'Run as Administrator' does not work.  If I right-click on cmd.exe and select 'run as administrator', the command box opens but
  I am not prompted for credentials and the command box does not have admin rights.  Not sure if this is related or not.
  Any help on this would be greatly appreciated.
  Thanks,
  Joe

  Hi,
  Delete your  remove action from the GPP and push it again, does this issue still occur?
  If it still exists, let’s collect the GPP log for analysis:
  Group policy Preference debug logging policy settings are located under:
  Computer Configuration\Administrative Templates\System\Group Policy
  Click Logging and tracing, select local users and group preference logging and trace.
  Meanwhile, just a similar issue, but it is worth trying:
  A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
  http://support.microsoft.com/kb/2280515
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support