Re: Delay for nexted security group membership?

Here is some more information and hopefully I can do a better job explaining
my question.
We have 5 sites. Our corporate office is condsidered our main site; the
domain controllers where we make AD changes. The replication interval is set
for 15 minutes between each of our 5 sites.
I have security group A and put the Domain Users group in to security group
A. How long does it take AD to recognize this nested group membership?



"Richard Mueller [MVP]" wrote:


"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:eEFzPoDPIHA.5264@xxxxxxxxxxxxxxxxxxxxxxx

"shasta" <shawn.monighan@xxxxxxxxxxxxx> wrote in message
news:F1094D34-EF3B-41C5-819F-BF2D458959B9@xxxxxxxxxxxxxxxx
I am trying to find out the amount of time it takes for nested group
membership to take effect. Meaning if I put a security group within
another
group how long does it take AD to regconize this change. Kinda like if
I
put a user in a security group the user has to logout and then login to
push
the reconigition of this membership.

When a user authenticates the DC gives them a token with the objectSid of
all groups the user belongs to, including the "primary" group of the user
and all groups the user is a member of due to group nesting (in the
domain). If the user is added to a group while they are logged on, their
token is not modified. They must logoff and logon again so the new token
reflects the new membership. Whenever the user attempts to access a
resource, the token can be checked to see if it includes a trustee that
has permission for the resource.

If the permissions of a group are modified, that should be reflected
immediately. If changing membership requires changes in the token, the
user must logoff and logon.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


And as Jorge points out, when the user logs out and logs back in, the DC
that authenticates the user must know about any changes in group membership.
There can be a delay until the changes replicate. This depends on network
topology, but should not be more than about 15 minutes, unless there are
slow links.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--



.

Relevant Pages

  • Re: Attempting to write my logon scripts - I want to do an IF / ElseIf statement and match to wh
    ... vbscripts and do an IF / ElseIF statement and ... match the user who is logging in up to a security group and that's how ... you want to recognize membership in nested groups, ... Domain environment -- most of my servers are Windows Server 2003 boxes ...
    (microsoft.public.scripting.vbscript)
  • Re: Group Membership
    ... Basically under membership rules you add a direct membership to the AD Group that you wish to use to distribute software, you can then uncheck the 'update collection' checkbox because it is now the clients responsibility to validate its membership to the collection and get the advertisements. ... that will determine if they are a member of that security group. ... security tokens and give them access the advert. ... >I have tried doing it this way, What becomes the update cycle? ...
    (microsoft.public.sms.swdist)
  • Re: Group Membership
    ... Basically under membership rules you add a direct membership to the AD Group ... that will determine if they are a member of that security group. ... the client or how does this work? ... Once the security group is discovered, the advert can be ...
    (microsoft.public.sms.swdist)
  • Re: Delay for nexted security group membership?
    ... The DCs will have that information as soon as replication occurs. ... I have security group A and put the Domain Users group in to security ... How long does it take AD to recognize this nested group membership? ... Microsoft MVP Scripting and ADSI ...
    (microsoft.public.windows.server.active_directory)
  • Re: Log on script error
    ... Microsoft MVP Scripting and ADSI ... ElseIf = "String") Then ... strGroups = LCase ... ways to check group membership. ...
    (microsoft.public.windows.server.scripting)