When you configure Windows Server 2003 domain controllers to cache universal group membership, it may take up to 8 hours for a user's newly added global group membership to be recognized.
To resolve this issue, you can modify the registry so that the cache is updated more often than every eight hours, or you can use LDP.EXE to update the cache.
To configure the cache update frequency:
On every domain controller that caches group membership, run:CacheFreq Minutes NumbUsers
where:
Minutes is the number of minutes between cached membership updates. The default is 480.
NumbUsers is the number of users to update. The default is 500.
NOTE: CacheFreq.bat uses Numeric.bat.
CacheFreq.bat contains:
@echo off
setlocal
if \{%2\}==\{\} goto syntax
set min=%1
set num=%2
call numeric %min% ans
if "%ans%" EQU "N" goto syntax
call numeric %num% ans
if "%ans%" EQU "N" goto syntax
if "%min:~0,1%" EQU "0" goto syntax
if "%num:~0,1%" EQU "0" goto syntax
set key=HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
@echo REG ADD %key% /V "Cached Membership Refresh Interval" /T REG_DWORD /D %min% /F
REG ADD %key% /V "Cached Membership Refresh Interval" /T REG_DWORD /D %min% /F
@echo REG ADD %key% /V "Cached Membership Refresh Limit" /T REG_DWORD /D %num% /F
REG ADD %key% /V "Cached Membership Refresh Limit" /T REG_DWORD /D %num% /F
endlocal
goto :EOF
:syntax
@echo Syntax: CacheFreq Minutes NumbUsers
endlocal
Manually update the group membership cache
01. On the user's %LOGONSERVER%, open a CMD.EXE window.02. Type ldp and press Enter.
03. Press Connect on the Connections menu.
04. Type the name of the user's %LOGONSERVER% into the Server box and press OK.
05. Press Bind on the Connections menu.
06. Type Administrator into the User box.
07. In the Password box, type the password and press OK.
08. On the Browse menu, press Modify. 09. Type updatecachedmemberships into the Attribute box.
10. Type 1 into the Value box and press Enter.
11. Check the Extended box and press Run.
