When you add a user to a global group in Microsoft Windows Server 2003, the user's membership is not recognized immediately


Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry

Summary


A user's group membership may not be recognized for up to eight hours after the user is added to a global group. This behavior occurs when Windows Server 2003 is configured to cache universal and global groups. By default, this cache is updated every eight hours.

To resolve this problem, you can use the Ldp.exe utility to manually update the cache. You can also modify the registry so that the cache is updated more frequently. To work around this problem, you can also turn off the universal group membership caching feature.

Symptoms


When you add a user to a global group in Microsoft Windows Server 2003, the user's group membership is not recognized immediately. Additionally, the global group is not listed when the user logs on and types whoami /all at a command prompt. However, the user's group membership is recognized after eight hours.

Cause


This behavior occurs if you have turned on the universal group membership caching feature in Windows Server 2003. This feature caches universal groups and global groups. By default, the group membership cache is updated every eight hours.

Resolution




To resolve this behavior, use one of the following methods:
  • Manually update the group membership cache by using the Ldp.exe utility.
  • Modify the registry so that the group membership cache is updated more frequently.

Method 1: Manually updating the group membership cache

To update the cache, follow these steps:
  1. On the domain controller where the user has logged on, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type ldp, and then press ENTER.
  3. On the Connections menu, click Connect.
  4. In the Server box, type the name of your server, and then click OK.
  5. On the Connections menu, click Bind.
  6. In the User box, type Administrator.
  7. In the Password box, type the password, and then click OK.
  8. On the Browse menu, click Modify.
  9. In the Attribute box, type updatecachedmemberships.
  10. In the Value box, type 1, and then click Enter.
  11. Click to select the Extended check box, and then click Run.

Method 2: Modifying the registry

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To configure the group membership cache to update every 60 minutes and to set the number of users whose group membership cache is updated, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Expand the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    .
  3. In the right pane, right-click Cached Membership Refresh Interval, and then click Modify.
  4. In the Value data box, type 60, and then click OK.
  5. Right-click Cached Membership Refresh Limit, and then click Modify.
  6. In the Value data box, type a new value, and then click OK.

    Note By default, the number of users whose cache is updated is 500.

Workaround


To work around this behavior, follow these steps to turn off universal group membership caching:
  1. Start Active Directory Sites and Services.
  2. In the console tree, double-click Sites, double-click Your_Site_Name.
  3. In the details pane, right-click NTDS Site Settings, and then click Properties.
  4. Click to clear the Enable Universal Group Membership Caching check box.
  5. Click OK.