Re: win2k group membership cache?

From: JK[MS] (
Date: 05/22/02

From: "JK[MS]" <>
Date: Wed, 22 May 2002 12:36:48 -0700

If you are using Universal or Global groups then these groups are added when
the user initially logs on. Membership changes will not be reflected till
the user gets a new TGT or logs back on. So you can call this a 'cache' but
it resides with the user so there is no way to flush it without going to
every user's workstation. Even for Domain Local groups similar rules apply
if the user has already accessed the service recently.
So unless the user is directly a member of a Local group machine you cannot
easily get real time group membership changes.

[This posting is provided "AS IS" with no warranties, and confers no
"Anthony Your" <> wrote in message
> Hi,
> here is the environment:
> 3 win2k AD controllers (running pure AD)
> win2k webservers, etc.
> I have NTFS permissions set using domain groups on folders used by IIS on
> member web servers.  If I change group membership and force sync the AD
> controllers, it still takes several hours for the permissions to
> I don't know if IIS caches group membership or if it is the NTFS file
> system.  Can I force a flush of this cache?  Or do I have some other
> such as a GPO or some setting in the domain?  Restarting the server or the
> webservice every change is not an option...sorry.
>         thanks,
>                 anthony

Relevant Pages

  • Re: How many Global Catalog Servers are needed?
    ... UG membership is stored on every DC in the domain the UGs were created in and in GCs of every domain in the forest. ... when a user who belongs to a universal group logs ... I mean in an multiple domain environment. ...
  • Re: Create user within the Login Control
    ... you can circumvent the way a person logs in to examine another table ... what the built in membership FUD uses). ... to login with their old details. ... from the old database into the new one. ...
  • Re: Group membership changes not taking effect
    ... Brad, ... Group membership is written to the security token - which is created at ... If a user who is logged on is made a member of GroupA, ... > logs on again. ...
  • session hijacking
    ... We have a site that runs a kind of membership section. ... When a person logs in we have his username + 3 variables in session, ...