Re: Group membership changes not taking effect

From: Rick Kingslan [MVP 2000/NT] (rkingsla.cox.net@127.0.0.1)
Date: 01/29/03

Next message: Rick Kingslan [MVP 2000/NT]: "Re: Local Users and Power Users"
Previous message: Rick Kingslan [MVP 2000/NT]: "Re: Restrict login to 1 account"
In reply to: brad: "Group membership changes not taking effect"
Next in thread: Brad L.: "Re: Group membership changes not taking effect"
Reply: Brad L.: "Re: Group membership changes not taking effect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Rick Kingslan [MVP 2000/NT]" <rkingsla.cox.net@127.0.0.1>
Date: Wed, 29 Jan 2003 11:39:29 -0600

Brad,

Group membership is written to the security token - which is created at
logon. The token cannot be dynamically updated (otherwise the security
implications would be huge with a dynamically updated token), hence the
requirement that a user who has their group membership updated MUST log off
and log back in so that the new group SID can be written to the new token.

If a user who is logged on is made a member of GroupA, that user's token has
no idea that the user is a member of GroupA because the SID for GroupA is
not on the token. Logging off and then loggin back will write the new SID
to the token.

I can't speak as to what conditions that earlier versions might have acted
in your environment, but IIRC, this is consistent behavior to all versions
of NT.

Hope this helps...

--
Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Windows 2000/NT
"brad" <bradl@nospammering.costbook.com> wrote in message
news:ugkZBW7xCHA.2604@TK2MSFTNGP12...
> Hi,
>
> I'm using Win2k sp 2 w/Active Directory.
>
> I'm adding & removing users from groups, but the resulting access changes
to
> files on the server do not seem to take effect until the user logs off and
> logs on again.
>
> I've been using WinNT since 3.1 and i've never had the effects of group
> membership changes wait until the user logs on again.
>
> Is this something new to Win2k, and is there a way to make changes
effective
> immediately?
>
> Thanks,
> Brad
>
>
>

Next message: Rick Kingslan [MVP 2000/NT]: "Re: Local Users and Power Users"
Previous message: Rick Kingslan [MVP 2000/NT]: "Re: Restrict login to 1 account"
In reply to: brad: "Group membership changes not taking effect"
Next in thread: Brad L.: "Re: Group membership changes not taking effect"
Reply: Brad L.: "Re: Group membership changes not taking effect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How many Global Catalog Servers are needed?
... UG membership is stored on every DC in the domain the UGs were created in and in GCs of every domain in the forest. ... when a user who belongs to a universal group logs ... I mean in an multiple domain environment. ...
(microsoft.public.win2000.active_directory)
Re: Create user within the Login Control
... you can circumvent the way a person logs in to examine another table ... what the built in membership FUD uses). ... to login with their old details. ... from the old database into the new one. ...
(microsoft.public.dotnet.framework.aspnet)
session hijacking
... We have a site that runs a kind of membership section. ... When a person logs in we have his username + 3 variables in session, ...
(php.general)
Re: win2k group membership cache?
... the user gets a new TGT or logs back on. ... easily get real time group membership changes. ... Can I force a flush of this cache? ...
(microsoft.public.win2000.security)
Re: Is every user a member of Users?
... As Herb indicated Users is a group. ... over the membership in which one has no control. ... >>composed of groupA and groupD only is highly useful, where groupA, B, ... >>long list of users in groupX and groupY is error prone. ...
(microsoft.public.win2000.security)