Re: Group membership changes not taking effect

From: Rick Kingslan [MVP 2000/NT] (rkingsla.cox.net@127.0.0.1)
Date: 01/29/03


From: "Rick Kingslan [MVP 2000/NT]" <rkingsla.cox.net@127.0.0.1>
Date: Wed, 29 Jan 2003 11:39:29 -0600


Brad,

Group membership is written to the security token - which is created at
logon. The token cannot be dynamically updated (otherwise the security
implications would be huge with a dynamically updated token), hence the
requirement that a user who has their group membership updated MUST log off
and log back in so that the new group SID can be written to the new token.

If a user who is logged on is made a member of GroupA, that user's token has
no idea that the user is a member of GroupA because the SID for GroupA is
not on the token. Logging off and then loggin back will write the new SID
to the token.

I can't speak as to what conditions that earlier versions might have acted
in your environment, but IIRC, this is consistent behavior to all versions
of NT.

Hope this helps...

--
Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Windows 2000/NT
"brad" <bradl@nospammering.costbook.com> wrote in message
news:ugkZBW7xCHA.2604@TK2MSFTNGP12...
> Hi,
>
> I'm using Win2k sp 2 w/Active Directory.
>
> I'm adding & removing users from groups, but the resulting access changes
to
> files on the server do not seem to take effect until the user logs off and
> logs on again.
>
> I've been using WinNT since 3.1 and i've never had the effects of group
> membership changes wait until the user logs on again.
>
> Is this something new to Win2k, and is there a way to make changes
effective
> immediately?
>
> Thanks,
> Brad
>
>
>