Easiest way to refresh AD permission cache without logoff / logon

Sponsored Links

We are constantly updating AD permissions to give this user or that
user new permissions, is there a way to access their new permissions
without logoff / logon, or waiting for the cache to refersh? There
must be a simple cmd that will refresh AD cache, but I couldn't find
it??

Hello rilecode@gmail.com,

You can run gpupdate /force on the client machines, but still some settings/configurations
needs at least a logoff/logon or sometimes a reboot.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We are constantly updating AD permissions to give this user or that
> user new permissions, is there a way to access their new permissions
> without logoff / logon, or waiting for the cache to refersh? There
> must be a simple cmd that will refresh AD cache, but I couldn't find
> it??
>

Howdie!

rilecode@gmail.com wrote:
> We are constantly updating AD permissions to give this user or that
> user new permissions, is there a way to access their new permissions
> without logoff / logon, or waiting for the cache to refersh? There
> must be a simple cmd that will refresh AD cache, but I couldn't find
> it??

That's nothing got to do with something like an AD cache rather than the
permissions that go with the user. When a user logs on, she receives a
PAC package that contains all her SIDs (security identifiers) including
the SIDs of the security groups she is member of. When accessing
resources on the network, her SIDs get evaluated against the SIDs that
are configured on the resources (like file shares or web services). The
reason why a logoff/logon is required is because the PAC package with
the SIDs is only refreshed at this time.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

rilecode@gmail.com wrote:
> We are constantly updating AD permissions to give this user or that
> user new permissions, is there a way to access their new permissions
> without logoff / logon, or waiting for the cache to refersh? There
> must be a simple cmd that will refresh AD cache, but I couldn't find
> it??

If it's NTFS permissions or group membership changes, etc., no - the user
needs to log out/in. This isn't something you should have to do often
anyway. I'm curious as to why you need to do it regularly. If you have a
share with subfolders with different permissions, move away from that
model - break out the subfolders into separate shares at the same level in
the folder tree. Secure them with AD security groups. Any shared folder
should have the same permissions all the way down the tree. Otherwise it's a
pain in the ___ to manage. .

Can you elaborate when you say updating permissions?

If you are modifying an ACL, then you should not have to wait for anything
to refresh.

If you are changing group membership, then you must have the user logoff and
log back on (This is required to modify the group membership in the user's
token, which is generated during logon).

If you are modifying Group Policy Objects, then Meinolf's suggestion will
work.


--
JPolicelli, MVP - Directory Services

This posting is provided "AS IS" with no warranties and confers no rights!

http://johnpolicelli.wordpress.com/
----


"Meinolf Weber" wrote:

> Hello rilecode@gmail.com,
>
> You can run gpupdate /force on the client machines, but still some settings/configurations
> needs at least a logoff/logon or sometimes a reboot.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > We are constantly updating AD permissions to give this user or that
> > user new permissions, is there a way to access their new permissions
> > without logoff / logon, or waiting for the cache to refersh? There
> > must be a simple cmd that will refresh AD cache, but I couldn't find
> > it??
> >
>
>
>

On Nov 17, 10:43*am, rilec...@gmail.com wrote:
> We are constantly updating AD permissions to give this user or that
> user new permissions, is there a way to access their new permissions
> without logoff / logon, or waiting for the cache to refersh? *There
> must be a simple cmd that will refresh AD cache, but I couldn't find
> it??

Thanks for the replies. We do run a tight ship on limiting the number
of shares, and yes I catch heck as to why I won't set special
permissions on a folder buried multiple levels down.

I believe both share and NTFS permissions are refreshed periodically,
I have read the default is 2 hours, but I can't confirm the actual
time. I do know that if you wait for a while the folder will become
accessible to the user without logoff / logon, so there must be a
stored cache, that you would think, could be refreshed in the same
manner the GPO's can be refreshed.

This is just a recurring complaint, that users don't want to close out
all of their running applications, just to gain access to a folder
they wer not previously privy to.

rilecode@gmail.com wrote:
> On Nov 17, 10:43 am, rilec...@gmail.com wrote:
>> We are constantly updating AD permissions to give this user or that
>> user new permissions, is there a way to access their new permissions
>> without logoff / logon, or waiting for the cache to refersh? There
>> must be a simple cmd that will refresh AD cache, but I couldn't find
>> it??
>
> Thanks for the replies. We do run a tight ship on limiting the number
> of shares, and yes I catch heck as to why I won't set special
> permissions on a folder buried multiple levels down.

Good for you :-)

>
> I believe both share and NTFS permissions are refreshed periodically,
> I have read the default is 2 hours, but I can't confirm the actual
> time. I do know that if you wait for a while the folder will become
> accessible to the user without logoff / logon, so there must be a
> stored cache, that you would think, could be refreshed in the same
> manner the GPO's can be refreshed.
>
> This is just a recurring complaint, that users don't want to close out
> all of their running applications, just to gain access to a folder
> they wer not previously privy to.

I know for sure that if the security is set via group membership, there's no
alternative. If they want the access, well, they need to log out and back
in. Guess it's up to them how badly they want it, right?

Hi
Change of permissions don't needt logoff / logon for the user, however
security group membership is a different story since the tokens are received
at logon.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.


<rilecode@gmail.com> wrote in message
news:18f07cc3-cf5b-46de-bef7-07687a288759@s9g2000prm.googlegroups.com...
> We are constantly updating AD permissions to give this user or that
> user new permissions, is there a way to access their new permissions
> without logoff / logon, or waiting for the cache to refersh? There
> must be a simple cmd that will refresh AD cache, but I couldn't find
> it??

nope

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

<rilecode@gmail.com> wrote in message
news:18f07cc3-cf5b-46de-bef7-07687a288759@s9g2000prm.googlegroups.com...
> We are constantly updating AD permissions to give this user or that
> user new permissions, is there a way to access their new permissions
> without logoff / logon, or waiting for the cache to refersh? There
> must be a simple cmd that will refresh AD cache, but I couldn't find
> it??