Article ID: 946358 - View products that this article applies to.
Consider the following scenario:
The local security authority (LSA) caches the mapping between the SID and the user name in a local cache on the domain member computer. The cached user name is not synchronized with domain controllers. The LSA on the domain member computer first queries the local SID cache. If an existing mapping is already in the local SID cache, the LSA returns the cached user name information instead of querying the domain controllers. This behavior is intended to improve performance.
The cache entries do time out, however chances are that recurring queries by applications keep the existing cache entry alive for the maximum lifetime of the cache entry.
To work around this issue, disable the local SID cache on the domain member computer. To do this, follow these steps:
The LSA maintains a SID cache on domain member computers. This cache stores mappings between SIDs and user names. If the SID information exists in the local cache, the LSA returns the cached user name information instead of checking whether the user name has changed.
The local SID cache helps reduce domain controller workload and network traffic. However, inconsistency may occur between the local cache and the domain controllers.
TechNet has an article that covers Sid-Name resolution approaches, including a detailed description of this cache:
For more information about the LsaLookupSidsfunction, visit the following Microsoft Web site:
Article ID: 946358 - Last Review: November 15, 2011 - Revision: 4.0