JSI Tip 9461. Where is cached Universal Group membership information stored?


When Universal Group caching is enabled, a user's Universal Group membership is stored in their msDS-Cached-Membership attribute, along with the current time (msDS-Cached-Membership-Time-Stamp) and logon site (msDS-Site-Affinity). The msDS-Site-Affinity is replicated to the other domain controllers. When a user logs on again, the Universal Group SIDs are read from their msDS-Cached-Membership attributed, if their msDS-Cached-Membership-Time-Stamp is within the Cached Membership Staleness (minutes), a REG_DWORD data type, at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters, which defaults to 7 days.

See Universal Group caching for modifying the default 8 hours between cached membership updates, and the default 500 user per update limit.

If the cached membership is stale, a global catalogue is accessed to update the msDS-Cached-Membership and msDS-Cached-Membership-Time-Stamp attributes.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish