When Universal Group caching is enabled, a user's Universal Group membership is stored
in their msDS-Cached-Membership attribute, along with the current time (msDS-Cached-Membership-Time-Stamp) and
logon site (msDS-Site-Affinity). The msDS-Site-Affinity is replicated to the other domain controllers.
When a user logs on again, the Universal Group SIDs are read from their msDS-Cached-Membership attributed, if
their msDS-Cached-Membership-Time-Stamp is within the Cached Membership Staleness (minutes),
a REG_DWORD data type, at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters, which defaults to 7 days.
See Universal Group caching for modifying the default 8 hours between cached membership updates, and the default 500 user per update limit.
If the cached membership is stale, a global catalogue is accessed to update the msDS-Cached-Membership and msDS-Cached-Membership-Time-Stamp attributes.