When you add a user to a global group in Microsoft Windows Server 2003, the user's membership is not recognized immediately

When you add a user to a global group in Microsoft Windows Server 2003, the user's group membership is not recognized immediately. Additionally, the global group is not listed when the user logs on and types whoami /all at a command prompt. However, the user's group membership is recognized after eight hours.

This behavior occurs if you have turned on the universal group membership caching feature in Windows Server 2003. This feature caches universal groups and global groups. By default, the group membership cache is updated every eight hours.

To resolve this behavior, use one of the following methods:

• Manually update the group membership cache by using the Ldp.exe utility.
• Modify the registry so that the group membership cache is updated more frequently.

Method 1: Manually updating the group membership cache

To update the cache, follow these steps:

1. On the domain controller where the user has logged on, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type ldp, and then press ENTER.
3. On the Connections menu, click Connect.
4. In the Server box, type the name of your server, and then click OK.
5. On the Connections menu, click Bind.
6. In the User box, type Administrator.
7. In the Password box, type the password, and then click OK.
8. On the Browse menu, click Modify.
9. In the Attribute box, type updatecachedmemberships.
10. In the Value box, type 1, and then click Enter.
11. Click to select the Extended check box, and then click Run.

Method 2: Modifying the registry

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To configure the group membership cache to update every 60 minutes and to set the number of users whose group membership cache is updated, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Expand the following subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   .
3. In the right pane, right-click Cached Membership Refresh Interval, and then click Modify.
4. In the Value data box, type 60, and then click OK.
5. Right-click Cached Membership Refresh Limit, and then click Modify.
6. In the Value data box, type a new value, and then click OK.
   
   Note By default, the number of users whose cache is updated is 500.

To work around this behavior, follow these steps to turn off universal group membership caching:

1. Start Active Directory Sites and Services.
2. In the console tree, double-click Sites, double-click Your_Site_Name.
3. In the details pane, right-click NTDS Site Settings, and then click Properties.
4. Click to clear the Enable Universal Group Membership Caching check box.
5. Click OK.