Re: Group membership changes not taking effect

From: Rick Kingslan [MVP 2000/NT] (
Date: 01/29/03

From: "Rick Kingslan [MVP 2000/NT]" <>
Date: Wed, 29 Jan 2003 11:39:29 -0600


Group membership is written to the security token - which is created at
logon. The token cannot be dynamically updated (otherwise the security
implications would be huge with a dynamically updated token), hence the
requirement that a user who has their group membership updated MUST log off
and log back in so that the new group SID can be written to the new token.

If a user who is logged on is made a member of GroupA, that user's token has
no idea that the user is a member of GroupA because the SID for GroupA is
not on the token. Logging off and then loggin back will write the new SID
to the token.

I can't speak as to what conditions that earlier versions might have acted
in your environment, but IIRC, this is consistent behavior to all versions
of NT.

Hope this helps...

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Windows 2000/NT
"brad" <> wrote in message
> Hi,
> I'm using Win2k sp 2 w/Active Directory.
> I'm adding & removing users from groups, but the resulting access changes
> files on the server do not seem to take effect until the user logs off and
> logs on again.
> I've been using WinNT since 3.1 and i've never had the effects of group
> membership changes wait until the user logs on again.
> Is this something new to Win2k, and is there a way to make changes
> immediately?
> Thanks,
> Brad