Welcome to the Centrify forums.
To interesting differences here:
- One server is using an EOL version of Centrify software (5.1).
- As it relates to the user "fake" - you can spot the difference in the UNIX identity shell.
Good server:fake:x:1234:101:fake user:/home/fake:/bin/csh
"Bad" server (notice the double-quotes):fake:x:1234:101:fake user:/home/fake:/sbin/nologin
In the Good server, the user has a valid role assignment that is still effective (hence the the C shell: /bin/csh), in the "bad" server, the user has an expired role assignment (looks like someone did the right thing and did not assign user fake a permanent role), when the role expired, they were switched to the Nologin (/sbin/nologin). This will prompt the user to have a message like "This account is currently not available" (or some other custom message).
Ultimately, the use is not allowed to log in to the bad server, (turns out it's not bad, it's actually doing the right thing by denying access to the system and protecting the asset).
You can further verify this by using the "dzdo dzinfo fake" on both systems. Alternatively, you can use Access Manager's "User Effective Rights" or even PowerShell to see this.
To fix this (if the intent is for user fake to access the "now discovered not bad server") is to be granted a role assignment that allows him to log in, and to make things fast, run the adobjectrefresh or adflush commands in the target system.
I hope this helps.