Skip navigation

Where is cached Universal Group information stored?

A. When Universal Group caching is enabled, the user's Universal Group membership is stored in the msDS-Cached-Membership attribute of the user's account, and the current time is written to the msDS-Cached-Membership-Time-Stamp value along with msDS-Site-Affinity to identify the user's logon site the first time he or she logs on. Only the msDS-Site-Affinity attribute is replicated between domain controllers (DCs); the timestamp and list of group SIDs aren't replicated and are stored only on the authenticating DC. The next time the user logs on, the system reads the SIDs from the msDS-Cached-Membership attribute instead of consulting a Global Catalog (GC), assuming the msDS-Cached-Membership-Time-Stamp is within the staleness time period (7 days by default). If the cached membership information is stale, the system consults a GC for Universal Group membership information and updates the msDS-Cached-Membership and msDS-Cached-Membership-Time-Stamp attributes. The cached information is updated every 8 hours by default, and as many as 500 accounts will refresh in each refresh cycle. To modify the default values associated with cached Universal Groups, perform these steps:

  1. Start the registry editor (regedit.exe).
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ registry subkey.
  3. From the Edit menu, select New - DWORD Value and enter the name of one of the values in TABLE 3. Press Enter. Double-click the new value and set it to the desired value. Click OK.
  4. Close the registry editor.
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.